I have a virtual (free) airline site and behind the password protected areas I can use a PHP script that I can not use in my public areas/pages as in the past it was subject to injection and hijacking my forms/script. My host just ceased support for formail as it is an old script. They recommended a service called formspree that I started using but then they stopped working and they are not answering their support requests.
All I need is an example/answer that will allow me to have a site visitor send me an email through filling out the form or to join our virtual airline by doing the same. Here is what I have:
The code for my contact form is as follows:
<table WIDTH="1166" BORDER="0" CELLPADDING="0" CELLSPACING="0">
<tr BGCOLOR="#0033CC">
<th height="111" align="left" valign="top" bgcolor="#FFFFFF" scope="row">
<form action="contact.php" method="POST">
<input type="hidden" name="recipient" value="contact us"/>
<input type="hidden" name="subject" value="Results From Contact Form"/>
<p align="center">
<span class="arial">Pilot ID#: <input name="pilot_id" type="text"/><br/>
Full Name: <input name="name" type="text" size="50"/><br/>
E-mail: <input name="email" type="text" size="30"/><br/>
Confirm E-mail:
</span>
<input name="confirm_email" type="text" size="30"/>
</p>
<p align="center"><span class="arial">Submit questions or comments</span><br/>
<textarea name="textarea" cols="50" rows="5"></textarea></p>
<p align="center">
<input type="submit" name="Submit" value="Submit"/>
<input type="reset" name="Reset" value="Reset"/><br/>
</p>
</form>
</th>
</tr>
</table>
The contents of the contact.php is as follows:
<?php
//--------------------------Set these paramaters--------------------------
// Subject of email sent to you.
$subject = 'Results from Contact form';
// Your email address. This is where the form information will be sent.
$emailadd = 'here@ismyemailaddress.com';
// Where to redirect after form is processed.
$url = 'http://www.mywebsitename.com/contactsuccess.html';
// Makes all fields required. If set to '1' no field can not be empty. If set to '0' any or all fields can be empty.
$req = '0';
// --------------------------Do not edit below this line------------------------
$text = "Results from form:\n\n";
$space = ' ';
$line = '
';
foreach ($_POST as $key => $value) {
if ($req == '1') {
if ($value == '') {
echo "$key is empty";
die;
}
}
$j = strlen($key);
if ($j >= 20) {
echo "Name of form element $key cannot be longer than 20 characters";
die;
}
$j = 20 - $j;
for ($i = 1; $i <= $j; $i++) {
$space .= ' ';
}
$value = str_replace('\n', "$line", $value);
$conc = "{$key}:$space{$value}$line";
$text .= $conc;
$space = ' ';
}
mail($emailadd, $subject, $text, 'From: ' . $emailadd . '');
echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL=' . $url . '">';
?>
This works great and send email is it should. However, as previously mentioned it has been subject to email injection in the past. I looked up in the wiki at my provider how to protect this simple script from injection and they suggested adding the following, which has not worked for me and I keep getting the error message that I cant access it directly:
<?php
if (!isset($_POST['submit'])) {
echo "<h1>Error</h1>\n
<p>Accessing this page directly is not allowed.</p>";
exit;
}
$email = preg_replace("([\r\n])", "", $email);
$find = "/(content-type|bcc:|cc:)/i";
if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments)) {
echo "<h1>Error</h1>\n
<p>No meta/header injections, please.</p>";
exit;
}
?>
So I clearly do not know how to add this to the top of the script as they said or it is simply not working - all I get is the error message about accessing the page directly.
I'm not at liberty to install packages to use PHP form mailing programs and need to make this as simple and as secure as possible. I would love to be able to make it where no one can access the php code as well so no one can harvest the email address from it too if possible.
Can somebody explain how to do this in layman's terms?
