Problem
I am busy creating a basic php mailer script to post to _self and email to a address.
Is the script secure?
How can I avoid someone clicking on submit the whole time, to spam the mailbox, with minimal extra code
<?php
//Mail header removal
function remove_headers($string) {
$headers = array(
"/to:/i",
"/from:/i",
"/bcc:/i",
"/cc:/i",
"/Content-Transfer-Encoding:/i",
"/Content-Type:/i",
"/Mime-Version:/i"
);
$string = preg_replace($headers, '', $string);
return strip_tags($string);
}
$to = "email@tosendto.com";
$subject = "Sent from site";
$uname = remove_headers($_POST['fname']);
$uemail = remove_headers($_POST['femail']);
$umessage = remove_headers($_POST['fmessage']);
$umessage = "Name : " . $uname . " Email : " . $uemail . " Message : " . $umessage;
if(isset($_POST['submit']))
{
mail($to, $subject, $umessage, "From: page@website.com");
}
?>
<div id="mailer" >
<h1>Message</h1>
<form name="test" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
<p>Your Name:</p>
<input type="text" size="20" name="fname"><br><br>
<p>Your Email:</p>
<input type="text" size="20" name="femail"><br><br>
<p>Your Message:</p>
<textarea name="fmessage" rows="4" cols="20"></textarea><br><br>
<input type="submit" name="submit" value="Send Message">
</form>
<?php if(isset($_POST['submit']))
{
echo "<p>Sent. We will be in contact shortly.</p>";
} ?>
</div>
Solution
Your using the email sanitize filter on each field, you need to use FILTER_SANITIZE_STRING for the name and FILTER_SANITIZE_FULL_SPECIAL_CHARS for the message field.
Sanitizing is not the same as validating…