How to validate phone numbers and stop injection headers - PHP Secure form

Question

What else is needed to:

1. make this php script send an auto-response back?

2. sanitize and check the phone number and email that is not junk as my current formmail from dbmasters I get junk like dasawewdjz89)$%&*_sasa779%7fmsdls in almost every field including the input areas.

3. It is mentioned to take out the bcc and cc code, yet, I had code to sent to a different recipient based on the state, so is there a way to keep the bcc and cc fields too without compromising security?

Maybe this is 3 questions in 1, but this is essentially building upon the answer here
Replacing deprecated eregi() with stristr(). Is this php mail script secure from header injections? since it is a deprecated form and I get error logs each day now.

I believe I only need validation on input fields NOT select or radio fields, right?

I am an html/css guy so would this actual code go into the php page or as a separate contact.php page.

EDIT: The script I cannot post for some reason here with the code given (like in other forums). so I made a link to it in BOLD ..Validate without Javascript

Answer 1

To answer your questions:

Question 1: Don't quite understand what you mean here. Once you are in your script you can send output to the screen, generate and email, etc. This question is very vague.

Question 2: You can use regular expressions to validate various pieces of information. For example this will check a phone number in the format of XXX-XXX-XXXX and tell you if it is valid.

function validatePhone($number)
{
    $test = "/^\d{3}-\d{3}-\d{4}$/";
    return (preg_match($test, $number) != 0) ? true : false;
}

var_dump(validatePhone("815-555-1234"));
var_dump(validatePhone("8158791359"));
var_dump(validatePhone("blah blah 209#&$#)(@#1;llkajsdf"));

This will produce:

bool(true)
bool(false)
bool(false)

Keep in mind this function is far from robust. Valid phone numbers in different formats will fail (e.g. 815 555-8846), so you will need to adjust the regexp or craft multiple regexps to meet your needs. But that should be enough to illustrate the process.

Question 3: For email, I don't really see how the BCC and CC fields are going to compromise security. What you need to focus on in that area is preventing email header injections.

Answer 2

Spammers have recently been using mail header injection to send spam e-mail from contact forms that have in the past viewed as secure.

If you are a webmaster you can edit your forums to ensure they are secure and safe from spammers

Anyway, I have several websites that all use a common contact form. Every contact form posts to the same script.

This is how I defend against header injections. (I typically use this script as an include file)

This script requires your html form to use action="post". Make sure this is only used on the script that the html form will be posted to. If you use this script on a regular page request, it will die().

More error checking should be done when testing posted values for bad strings. Possibly a regular expression.

<?php 
// First, make sure the form was posted from a browser. 
// For basic web-forms, we don't care about anything 
// other than requests from a browser:     
if(!isset($_SERVER['HTTP_USER_AGENT'])){ 
   die("Forbidden - You are not authorized to view this page"); 
   exit; 
} 

// Make sure the form was indeed POST'ed: 
//  (requires your html form to use: action="post")  
if(!$_SERVER['REQUEST_METHOD'] == "POST"){ 
   die("Forbidden - You are not authorized to view this page"); 
   exit;     
} 

// Host names from where the form is authorized 
// to be posted from:  
$authHosts = array("domain.com", "domain2.com", "domain3.com"); 

// Where have we been posted from? 
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER'])); 

// Test to see if the $fromArray used www to get here. 
$wwwUsed = strpos($fromArray['host'], "www."); 

// Make sure the form was posted from an approved host name. 
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){     
   logBadRequest(); 
   header("HTTP/1.0 403 Forbidden"); 
       exit;     
} 

// Attempt to defend against header injections: 
$badStrings = array("Content-Type:", 
                     "MIME-Version:", 
                     "Content-Transfer-Encoding:", 
                     "bcc:", 
                     "cc:"); 

// Loop through each POST'ed value and test if it contains 
// one of the $badStrings: 
foreach($_POST as $k => $v){ 
   foreach($badStrings as $v2){ 
       if(strpos($v, $v2) !== false){ 
           logBadRequest(); 
           header("HTTP/1.0 403 Forbidden"); 
               exit; 
       } 
   } 
}     

// Made it past spammer test, free up some memory 
// and continue rest of script:     
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed); 
?>