Forum Moderators: coopster
<form name="phpformmailer" method="post" action="<?php $_SERVER['PHP_SELF']?>">
<label>Your Name: (required)</label>
<br/>
<input id="textName" type="text" name="name"><br/>
<label>Your Email: (required)</label>
<br />
<input id="textEmail" type="text" name="email"><br/>
<label>Your Message:</label>
<br/>
<textarea name="themessage" cols="30" rows="5"></textarea><br/>
<input id="submitButton" type="image" name="B1" src="/images/submit.jpg" width="430" height="28" value="Submit" >
<input type="hidden" name="stage" value="process">
</form><?php
ini_set('session.use_only_cookies',1);
session_start();
?><?php
global $error_message;
$error_message = '';
session_register("SESSION");
$showBox = FALSE;
if (isset($_POST['stage']) && ($_POST['stage'] == 'process')) {
$showBox = TRUE;
//check user input for possible header injection attempts!
function is_forbidden($str,$check_all_patterns = true)
{
$patterns[0] = '/content-type:/';
$patterns[1] = '/mime-version/';
$patterns[2] = '/multipart/';
$patterns[3] = '/Content-Transfer-Encoding/';
$patterns[4] = '/to:/';
$patterns[5] = '/cc:/';
$patterns[6] = '/bcc:/';
$forbidden = 0;
for ($i=0; $i<count($patterns); $i++)
{
$forbidden = preg_match($patterns[$i], strtolower($str));
if ($forbidden) break;
}
//check for line breaks if checking all patterns
if ($check_all_patterns AND !$forbidden) $forbidden = preg_match("/(%0a|%0d|\\n+|\\r+)/i", $str);
if ($forbidden)
{
$error_message = 'Forbidden Text';
}
}
// ------------------------- EXECUTION OF FUNCTION ABOVE -------------------------
foreach ($_REQUEST as $key => $value) //check all input
{
if ($key == "themessage") is_forbidden($value, false); //check input except for line breaks
else is_forbidden($value);//check all
}
// ------------------------- CREATE EMAILS -------------------------
$replyemail="user@example.com";
$name = $_POST["name"];
$email = $_POST["email"];
$thesubject = "Email from Example.com";
$receipt_subject = "message to Example.com";
$themessage = $_POST["themessage"];
$success_sent_msg='Your email has been successfully sent! You will receive a reply as soon as possible. For your convenience, a copy of your message has been sent to you. Thank-you for contacting example.com!';
$replymessage = "Thank you for your email!
Your message has been recevied and will be replied to shortly.
Please DO NOT reply to this email.
Below is a copy of the message you submitted:
--------------------------------------------------
Message: $themessage
--------------------------------------------------
Thank you,
#*$!#*$!X #*$!XX
www.example.com";
$themessage = "From: $name \nMessage: $themessage";
// ------------------------- PROCESSING -------------------------
if (!session_is_registered("SESSION")){
$errors_message = "Invalid form submission";
} elseif (!$error_message) {
mail("$replyemail",
"$thesubject",
"$themessage",
"From: $email\nReply-To: $email");
mail("$email",
"Receipt of $receipt_subject",
"$replymessage",
"From: $replyemail\nReply-To: $replyemail");
} else $error_message = "Failed to send message.";
}
?>
<?php
// ------------------------- FEEDBACK BOX -------------------------
?>
<?php if ($showBox == TRUE) { ?>
<?php if ($error_message) {?>
<div id="errorBox"><p><?php echo $error_message; ?></p></div>;
<?php } else ?>
<div id="successBox"><p><?php echo $success_sent_msg; ?></p></div>;
<?php echo $error_message;?>
<?php } ?>
//check user input for possible header injection attempts!
function is_forbidden($str,$check_all_patterns = true)
{
$patterns[0] = '/content-type:/';
$patterns[1] = '/mime-version/';
$patterns[2] = '/multipart/';
$patterns[3] = '/Content-Transfer-Encoding/';
$patterns[4] = '/to:/';
$patterns[5] = '/cc:/';
$patterns[6] = '/bcc:/';
$forbidden = 0;
for ($i=0; $i<count($patterns); $i++)
{
$forbidden = preg_match($patterns[$i], strtolower($str));
if ($forbidden) break;
}
//check for line breaks if checking all patterns
if ($check_all_patterns AND !$forbidden) $forbidden = preg_match("/(%0a|%0d|\\n+|\\r+)/i", $str);
if ($forbidden)
{
$error_message = null;
$error_message = 'Forbidden Text';
// echo $error_message;
return $error_message;
}
}
// ---------------- EXECUTION OF FUNCTION ABOVE ------------------
foreach ($_REQUEST as $key => $value) //check all input
{
if ($key == "themessage") {
$error_message = is_forbidden($value, false); //check input except for line breaks
echo $error_message; }
else $error_message = is_forbidden($value); echo $error_message;//check all
}
// SKIP CREATE EMAIL PART
// ------------------------- PROCESSING -------------------------
if (!session_is_registered("SESSION")){
$error_message = "Invalid form submission";
} elseif (!$error_message) {
mail("$replyemail",
"$thesubject",
"$themessage",
"From: $email\nReply-To: $email");
mail("$email",
"Receipt of $receipt_subject",
"$replymessage",
"From: $replyemail\nReply-To: $replyemail");
} else $error_message = "Failed to send message.";
}
?>
<?php
// ------------------------- FEEDBACK BOX -------------------------
?>
<?php if ($showBox == TRUE) { ?>
<?php if ($error_message) {?>
<div id="errorBox"><p><?php echo $error_message; ?></p></div>;
<?php } else ?>
<div id="successBox"><p><?php echo $success_sent_msg; ?></p></div>;
<?php echo $error_message;?>
<?php } ?>
I'm not going to tread over rocknbils toes here
I am so clueless as to why the email always sends, even if I enter illegal text.
still $error_message refuses to become TRUE. ... Still a little confused on that front, but regardless, it still isn't functioning correctly ... may I ask why $error_message was set to null inside the function?
if ($forbidden)
{
$error_flag = null;
$error_flag = 'You have entered text that is not permitted in the form.';
return $error_flag;
}
}
// ------------------------- EXECUTION OF FUNCTION ABOVE
foreach ($_REQUEST as $key => $value) //check all input
{
if ($key == "themessage") {
$error_message = is_forbidden($value, false); //check input except for line breaks
if ($error_message) break;
}
else $error_message = is_forbidden($value); { //check all
if ($error_message) break;}
}
