PHP emailer script help

Discussion in 'Programming' started by jimmy77611, Jul 7, 2012.

to remove all ads.
  1. jimmy77611

    jimmy77611 New Member

    Messages:
    3
    I'm a total noobie, and trying to learn PHP. I found this form mail script in a book that I'm reading, and I'm wondering if it is secure enough to use without getting any email injections or other issues for a contact form on a site.

    I downloaded it from the books website that has additional content. It has some notes that would indicate that it has at least some form of spam protection, but I'd like to make sure I don't need to modify or add anything.

    Here's the script:

    <?php
    //This is a very simple PHP script that outputs the name of each bit of information (that corresponds to the <code>name</code> attribute for that field) along with the value that was sent with it right in the browser window, and then sends it all to an email address (once you've added it to the script).

    if (empty($_POST)) {
    print "<p>No data was submitted.</p>";
    print "</body></html>";
    exit();
    }

    //Creates function that removes magic escaping, if it's been applied, from values and then removes extra newlines and returns to foil spammers. Thanks Larry Ullman!
    function clear_user_input($value) {
    if (get_magic_quotes_gpc()) $value=stripslashes($value);
    $value= str_replace( "\n", '', trim($value));
    $value= str_replace( "\r", '', $value);
    return $value;
    }


    if ($_POST['comments'] == 'Please share any comments you have here') $_POST['comments'] = '';

    //Create body of message by cleaning each field and then appending each name and value to it

    $body ="Here is the data that was submitted:\n";

    foreach ($_POST as $key => $value) {
    $key = clear_user_input($key);
    $value = clear_user_input($value);
    if ($key=='extras') {

    if (is_array($_POST['extras']) ){
    $body .= "$key: ";
    $counter =1;
    foreach ($_POST['extras'] as $value) {
    //Add comma and space until last element
    if (sizeof($_POST['extras']) == $counter) {
    $body .= "$value\n";
    break;}
    else {
    $body .= "$value, ";
    $counter += 1;
    }
    }
    } else {
    $body .= "$key: $value\n";
    }
    } else {

    $body .= "$key: $value\n";
    }
    }

    extract($_POST);
    //removes newlines and returns from $email and $name so they can't smuggle extra email addresses for spammers
    $email = clear_user_input($email);
    $name = clear_user_input($name);

    //Create header that puts email in From box along with name in parentheses and sends bcc to alternate address
    $from='From: '. $email . "(" . $name . ")" . "\r\n" . 'Bcc: [email protected]' . "\r\n";


    //Creates intelligible subject line that also shows me where it came from
    $subject = 'Bed Order from Web Site';

    //Sends mail to me, with elements created above
    mail ('[email protected]', $subject, $body, $from);


    ?>
     
  2. websonalized

    websonalized New Member

    Messages:
    107
    All looks fine in terms of just sending an email with the input to yourself but if you’re storing it in a db then you could use the mysql_real_escape_string() function:

    function clear_user_input($value) {
    if (get_magic_quotes_gpc()) $value=stripslashes($value);
    $value = mysql_real_escape_string($value);
    $value= str_replace( "\n", '', trim($value));
    $value= str_replace( "\r", '', $value);
    return $value;
    }
     

Share This Page