Please help me check this code if it safe from hackers or spammers

Security and PHP
#1

Good day friends, please i am still an upcoming developer please could you help me check if this contact form code is secured from hackers. Thanks

<?php

require “define.php”;
$seotitlemeta = “Contact $sitename”;
include ‘./themes/header.php’;
function filter_spam(&$string){ $url = str_replace(array("’", ‘’, ‘%20’), ’ ‘, $string); $url = preg_replace(’~[\pL0-9]+u’, ’ ', $url); $url= strtolower($url); $url = trim($url, “”); return $url;}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
$data = strip_tags($data);
return $data; } ?>

Contact <?php echo $sitename;?>

<?php if ($SERVER["REQUEST_METHOD"] == "POST") { $code1= trim(preg_replace(array("'", "[^a-z0-9]+"), array("", ""), strtolower(test_input($POST['code']))), "-"); $code1 = substr($code1, 0, 10); $code= trim(preg_replace(array("'", "[^0-9]+"), array("", ""), strtolower(bin2hex(test_input($POST['code1'])))), "-"); $code = substr($code, 0, 10); if (filter_var(test_input($POST['mail']), FILTER_VALIDATE_EMAIL)) { if(strlen(test_input($POST["message"])) > 5){ $email_sumbit = test_input($POST['mail']); $contact_name = test_input(filter_spam($POST['name'])); $subject_submit = test_input($POST['head']); $message_submit= test_input($POST["message"]); if($code1!== $code) { } else { $from = "$email_sumbit"; $to_email = "[email protected]"; $subject = $subject_submit; $message = $message_submit; $headers = "From: $contact_name $from"; mail($to_email,$subject,$message,$headers); $sent_show_response = '
Your message has been sent successfully
'; $message_sent_remove_form = "1"; } }} if ($SERVER["REQUEST_METHOD"] == "POST") { if($sent_show_response){ $sent_show_response = $sent_show_response; } else { if(strlen(test_input($POST["message"])) < 5){ $sent_show_response = '
Your message is too short
'; } else{ $sent_show_response = '
Please provide valid information

'; }}}} ?>

<?php echo $sent_show_response; ?>

<?php if ($message_sent_remove_form == '1'){ } else{ ?><?php $Random_code=mt_rand(); $Random_code = substr($Random_code, 0, 5); $Random_codehex = substr(bin2hex($Random_code), 0, 10); ?>
"> Full name: E-mail address: Subject: Message: <?php echo $message_submit;?> Human verification:

<?php $random_spilit = str_split($Random_code);foreach($random_spilit as $code_one_one){ echo "$code_one_one "; }?>

CODE
Send Message
<?php }?><?php include './themes/footer.php'; ?>
#2

You need to edit your post above and re-post the original code using either bbcode code tags [code][/code] or markdown (three back-ticks ```) around it. Wherever you pasted this from has no new-line characters in the last half of it and it cannot be formatted on the forum.

Edit: I also see that wherever you pasted this from, it removed the underscores in variable names.

If you want help with your code, post your original code.

#3

Here’s the short version of what your application code should do with external, unknown, dynamic data values -

  1. The only alteration you make to data should be to trim it, mainly so that you can detect if all white-space characters were entered.
  2. You should then validate all data to make sure it is suitable for use by your application. Check if required values are not empty. Check values that must have a specific format, such as dates, email addresses. Check values that must have a required mix of characters, lengths, or value range. These checks are primarily to satisfy the needs of your application, not for security purposes. If data isn’t valid, setup a message telling the user what was wrong with the submitted data. Store validation error messages in an array, and validate all the independent inputs separately.
  3. Don’t Repeat Yourself (DRY.) There’s a lot of repeated/nested function calls in the posted code, opening the possibility of using a different value than the one that was actually validated.
  4. Don’t copy variables to other variables without any reason. Just use the original variables.
  5. Use data safely, in whatever context it is being used as -
    • use a prepared query when supplying data to an sql query when it gets executed.
    • apply htmlentities() to values that are being used in a html context (web page, email body), right before they are being used (not before they are validated.)
    • insure that any value being put into an email header consists of exactly and only one expected value, in order to prevent email header injection.
    • don’t put user submitted data directly into an email subject field. If there’s a choice of pre-defined subjects, the submitted value should be an id of the subject, then lookup and substitute the actual subject text on the server.
    • store (move) uploaded files to a location that prohibits direct web access.
    • if you store data in files, including data logging, put the files in a location that prohibits direct web access.
    • don’t use eval() or anything that uses eval internally, such a regex statement with the /e modifier.
    • don’t use any function that ‘magically’ creates/populates variables, such as extract(), the long since removed register_globals, or any code designed to make old code that was dependent on register_globals ‘work’ again.
#4

I also see that this isn’t your latest code. You posted updated code 13 hours ago on a different forum, then posted your original code 3 hours ago on this forum.

Sponsor our Newsletter | Privacy Policy | Terms of Service