rocknbil - 4:54 pm on Aug 9, 2011 (gmt 0)
Your first problem is here:
$from = $_REQUEST['firstname'] ;
$name = $_REQUEST['email'] ;
This puts the name as the from email address, it will never send. Try switching those two:
$from = $_REQUEST['email'] ;
$name = $_REQUEST['firstname'] ;
Then change this
$headers = "From: $from";
$headers = "From: \"$name\" <$from>\r\n";
The newlines are important. You should probably echo out all the values and exit to make sure it's right, you should have something like this:
From: "John" <email@example.com>
Content-type: text/html; charset=iso-8859-1
The last two are for HTML emails, you can remove them for plain text.
Second there is no mail for $send2, but guessing you just stopped there because $send wasn't working.
As for spam protection, you need to start with injection protection - you are using raw uncleansed input directly in your program. Suppose I could do "something like" this:
I've just created my own BCC header and used your form to spam 4 addresses (potentially thousands.) Although as posted this is impossible, you get the drift - follow Selena Sol's mantra:
Every user input is a potential hack.
And the corollary, accept only what you want and throw everything else away.
This is a bit complex to cover in one post, but you'll use a variety of methods, including regular expression replacements, to filter all input to make sure it's what you expect - the most important, of course, is the email address itself, there should be only one, and it should match an acceptable email pattern.
Once your input is relatively clean, you can use the same approach against spammers to avoid the dreaded captcha. The most common attack is "link spamming" - there's a link below that shows how you do that.
I also advise to log every input within the script - this is different than access logs, just log everything that is being sent to your program. When trouble arises, you'll have something to look at to see what they are up to.
Get it working first, log everything first, cleanse your input, then filter for spam, if it's all clean **then** send the mail.
See my post here to help [webmasterworld.com]