PHP/MySQL made simple

Jun 6 2008   8:57PM GMT

Securing your E-mail address in a contact form

Jon Harris Profile: Jonsjava

Tags:
Exchange Server ActiveSync

All too often, I see easy ways to exploit a websites contact form. They have it so that everything is posted to the submit form in plain text. While this may be ok, if you’re not posting any of this to a database, it’s still not good practice.
I usually tend to do it as such:

My contact form:

Contact Us

Your Name:
E-Mail Address:
Contact Reason: Need assistance with a script you made
Need Assistance with a script I made
Looking for help with an open-source project
Wanted to thank you for all you've done
Offering assistance with one of your open-source projects
Just saying "Hi"/Other

Subject:
Message:
 


Now, you notice that I did this:

Need Assistance with a script I made
Looking for help with an open-source project
Wanted to thank you for all you've done
Offering assistance with one of your open-source projects
Just saying "Hi"/Other

What that does is this: they can’t change the contact reason. It’s locked. If they modify the select to their liking, then it just won’t work.

How does that work, you ask?
Simple, here’s how:

$reason_array = array("Need assistance with a script you made", "Need Assistance with a script I made", "Looking for help with an open-source project", "Wanted to thank you for all you've done", "Offering assistance with one of your open-source projects", "Just saying \"Hi\"/Other");
$reason = $_POST['reason'];
$contact_reason = $reason_array[$reason -1];
$subject = $_POST['subject'];
$body = $_POST['body'];
$email = $_POST['email'];
$name = $_POST['name'];
$to = "email@somedomain.com";
$subject = $_POST['subject'];
$message = "

".$subject."
Contact Reason: $contact_reason
\n
Name:$name
\n";
$message_clean1 = str_replace("\'", "'", $_POST['body']);
$message_clean2 = str_replace('"', "'", $message_clean1);
$message_clean3 = str_replace("\v", "", $message_clean2);
$message_clean4 = str_replace("\'", "'", $message_clean3);
$message .= $message_clean4;
$message .= "

";
$message .= "\n";
include("MIME.class.php");
$mime = new MIME_mail($email, $to, $subject);
$mime->attach($message, "", HTML, BASE64);
$mime->send_mail();
header("location:index.php");
exit();

This is my the submit page for my contact form. Now, as you may have noticed, I’m using the MIME mailer class (found at PHP Guru.
I’ve added the reason codes into an array, so if they modify it, and change it from a numerical value, we’ll know.

Next Time: I will show you how to stop spammers from using your script.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: