[php]
// First, make sure the form was posted from a browser.
// For basic web-forms, we don’t care about anything
// other than requests from a browser:
if(!isset($_SERVER[‘HTTP_USER_AGENT’])){
die(“Forbidden - You are not authorised to view this page”);
exit;
}
// Make sure the form was indeed POST’ed:
// (requires your html form to use: action=“post”)
if(!$_SERVER[‘REQUEST_METHOD’] == “POST”){
die(“Forbidden - You are not authorised to view this page”);
exit;
}
// Host names from where the form is authorized
// to be posted from:
$authHosts = array(“XXXXXXXXXXX.com”);
// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER[‘HTTP_REFERER’]));
// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray[‘host’], “www.”);
// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray[‘host’] : substr(stristr($fromArray[‘host’], ‘.’), 1)), $authHosts)){
logBadRequest();
header(“HTTP/1.0 403 Forbidden”);
exit;
}
// Attempt to defend against header injections:
$badStrings = array(“Content-Type:”,
“MIME-Version:”,
“Content-Transfer-Encoding:”,
“bcc:”,
“cc:”);
// Loop through each POST’ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
foreach($badStrings as $v2){
if(strpos($v, $v2) !== false){
logBadRequest();
header(“HTTP/1.0 403 Forbidden”);
exit;
}
}
}
// Made it past spammer test, free up some memory
// and continue rest of script:
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
###########################################################################################
function check_email_address($checked) {
// First, we check that there’s one @ symbol, and that the lengths are right
if (!ereg("[^@]{1,64}@[^@]{1,255}", $checked)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$checked_array = explode("@", $checked);
$local_array = explode(".", $checked_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&’*+/=?^_{|}~-][A-Za-z0-9!#$%&'*+/=?^_
{|}~.-]{0,63})|("[^(|")]{0,62}"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^[?[0-9.]+]?$", $checked_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $checked_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}
$invalid = “1”;
$sent = “2”;
$error = “3”;
// specify recipient!
$EmailTo = “XXXXXXXXX.com”;
// get posted data into local variables
$EmailFrom = Trim(stripslashes($_POST[‘EmailFrom’]));
$Subject = Trim(stripslashes($_POST[‘Subject’]));
$Name = Trim(stripslashes($_POST[‘Name’]));
$Telephone = Trim(stripslashes($_POST[‘Telephone’]));
$Message = Trim(stripslashes($_POST[‘Message’]));
if ($Subject) {
$Subject = "[from website visitor] ".$Subject;
} else {
$Subject = “[from website visitor]”;
}
// validation
$validationOK=true;
if (Trim($Name)=="") $validationOK=false;
if (!check_email_address($EmailFrom)) $validationOK=false;
if (Trim($Message)=="") $validationOK=false;
if (!$validationOK) {
$displaymessage = $invalid;
}
if ($validationOK) {
ini_set(sendmail_from, $EmailFrom); // the INI lines are to force the From Address to be used !
// prepare email body text:
$Body = “”;
$Body .= $Message.“n”;
$Body .= “n”;
if ($Telephone) {
$Body .= “----n”;
$Body .= "TELEPHONE NUMBER: ".$Telephone.“n”;
$Body .= “n”;
}
$Body .= “----end----”;
// prepare email headers:
$eol = “rn”;
$Headers = “”;
$Headers .= "From: $Name <$EmailFrom> ".$eol;
$Headers .= "X-Sender: $Name <$EmailFrom> “.$eol;
$Headers .= “X-Mailer: PHP v”.phpversion().” ".$eol; // These two to help avoid spam-filters
$Headers .= "Content-type: text/plain; charset=utf-8 ".$eol;
$Headers .= "MIME-Version: 1.0 ".$eol;
$Headers .= $eol.$eol;
// send email:
$success = mail($EmailTo, $Subject, $Body, $Headers);
if ($success) {
$displaymessage = $sent;
}
else {
$displaymessage = $error;
}
ini_restore(sendmail_from); // undoes ini_set(sendmail_from) from before
}
echo $displaymessage;
[/php]
Admin edit: Switched from [code] tags to [php] tags for easier readability