Contact form exits page when it shouldn't. HELP?


#1

[php]

// First, make sure the form was posted from a browser.
// For basic web-forms, we don’t care about anything
// other than requests from a browser:
if(!isset($_SERVER[‘HTTP_USER_AGENT’])){
die(“Forbidden - You are not authorised to view this page”);
exit;
}

// Make sure the form was indeed POST’ed:
// (requires your html form to use: action=“post”)
if(!$_SERVER[‘REQUEST_METHOD’] == “POST”){
die(“Forbidden - You are not authorised to view this page”);
exit;
}

// Host names from where the form is authorized
// to be posted from:
$authHosts = array(“XXXXXXXXXXX.com”);

// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER[‘HTTP_REFERER’]));

// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray[‘host’], “www.”);

// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray[‘host’] : substr(stristr($fromArray[‘host’], ‘.’), 1)), $authHosts)){
logBadRequest();
header(“HTTP/1.0 403 Forbidden”);
exit;
}

// Attempt to defend against header injections:
$badStrings = array(“Content-Type:”,
“MIME-Version:”,
“Content-Transfer-Encoding:”,
“bcc:”,
“cc:”);

// Loop through each POST’ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
logBadRequest();
header(“HTTP/1.0 403 Forbidden”);
exit;
}
}
}

// Made it past spammer test, free up some memory
// and continue rest of script:
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);

###########################################################################################

function check_email_address($checked) {
// First, we check that there’s one @ symbol, and that the lengths are right
if (!ereg("[^@]{1,64}@[^@]{1,255}", $checked)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$checked_array = explode("@", $checked);
$local_array = explode(".", $checked_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&’*+/=?^_{|}~-][A-Za-z0-9!#$%&'*+/=?^_{|}~.-]{0,63})|("[^(|")]{0,62}"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^[?[0-9.]+]?$", $checked_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $checked_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}

$invalid = “1”;
$sent = “2”;
$error = “3”;

// specify recipient!
$EmailTo = “XXXXXXXXX.com”;

// get posted data into local variables
$EmailFrom = Trim(stripslashes($_POST[‘EmailFrom’]));
$Subject = Trim(stripslashes($_POST[‘Subject’]));
$Name = Trim(stripslashes($_POST[‘Name’]));
$Telephone = Trim(stripslashes($_POST[‘Telephone’]));
$Message = Trim(stripslashes($_POST[‘Message’]));

if ($Subject) {
$Subject = "[from website visitor] ".$Subject;
} else {
$Subject = “[from website visitor]”;
}

// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;
if (!check_email_address($EmailFrom)) $validationOK=false;
if (Trim($Message)=="") $validationOK=false;
if (!$validationOK) {
$displaymessage = $invalid;
}

if ($validationOK) {

ini_set(sendmail_from, $EmailFrom); // the INI lines are to force the From Address to be used !

// prepare email body text:

$Body = “”;
$Body .= $Message.“n”;
$Body .= “n”;
if ($Telephone) {
$Body .= “----n”;
$Body .= "TELEPHONE NUMBER: ".$Telephone.“n”;
$Body .= “n”;
}
$Body .= “----end----”;

// prepare email headers:

$eol = “rn”;
$Headers = “”;
$Headers .= "From: $Name <$EmailFrom> ".$eol;
$Headers .= "X-Sender: $Name <$EmailFrom> “.$eol;
$Headers .= “X-Mailer: PHP v”.phpversion().” ".$eol; // These two to help avoid spam-filters
$Headers .= "Content-type: text/plain; charset=utf-8 ".$eol;
$Headers .= "MIME-Version: 1.0 ".$eol;
$Headers .= $eol.$eol;

// send email:

$success = mail($EmailTo, $Subject, $Body, $Headers);

if ($success) {
	$displaymessage = $sent; 
}
else {
	$displaymessage = $error; 
}

ini_restore(sendmail_from); // undoes ini_set(sendmail_from) from before

}

echo $displaymessage;
[/php]

Admin edit: Switched from [code] tags to [php] tags for easier readability


#2

A bit more information please!

What have you done to resolve it? Any error messages displayed or in the logs? Does it quit half way through or does it not work at all?

What version of PHP, O/S, Webserver, etc… are you running?

Any SPECIFIC questions other than “HELP!”


#3

Hey, sorry about not including info, I was in a hurry.

I’ve commented out everything before the line of #########, and this has resolved the issue temporarily, but I’d rather it be included for security. (I’ve de-commented it in the example below.)

No error messages displayed. The page loads, to the point, and then it simply stops parsing. I don’t know where I would access said logs.

PHP v5.0.3, on Windows, web server IIS.

My specific question is, what is going wrong to make it stuff up? I know that it is in that section above the line of #######, which I found at http://www.rsaweb.co.za/tutorials/Email-Injection-from-website-how-to-stop-it/46/. Any insights?

[php]
// First, make sure the form was posted from a browser.
// For basic web-forms, we don’t care about anything
// other than requests from a browser:
if(!isset($_SERVER[‘HTTP_USER_AGENT’])){
die(“Forbidden - You are not authorised to view this page”);
exit;
}

// Make sure the form was indeed POST’ed:
// (requires your html form to use: action=“post”)
if(!$_SERVER[‘REQUEST_METHOD’] == “POST”){
die(“Forbidden - You are not authorised to view this page”);
exit;
}

// Host names from where the form is authorized
// to be posted from:
$authHosts = array(“X.com”);

// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER[‘HTTP_REFERER’]));

// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray[‘host’], “www.”);

// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray[‘host’] : substr(stristr($fromArray[‘host’], ‘.’), 1)), $authHosts)){
logBadRequest();
header(“HTTP/1.0 403 Forbidden”);
exit;
}

// Attempt to defend against header injections:
$badStrings = array(“Content-Type:”,
“MIME-Version:”,
“Content-Transfer-Encoding:”,
“bcc:”,
“cc:”);

// Loop through each POST’ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
logBadRequest();
header(“HTTP/1.0 403 Forbidden”);
exit;
}
}
}

// Made it past spammer test, free up some memory
// and continue rest of script:
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);

###########################################################################################
[/php]

Mod Edit: Stripped irrelevant code


#4

If it’s a third-party script, shouldn’t you be contacting the person who wrote it? Besides that, did you try Debugging?


#5

If you are wondering what makes the script stop running its the command that says exit;

You need to use some error messages to tell you where the script is exiting out at…

exit(“I am at point 1”);
exit(“I am at point 2”);

Something to tell at which point the script exiting and from there you should be able to figure what it is doing, but Zyppora is right, we do not support 3rd party scripts.