AI_ContactForm to E-mail script; validates e-mails and checks against e-mail header injection
November 23, 2006
Contact forms aren't hard to code, and the PHP mail() function is pretty simple - and yet, implementing such a form, handling the POSTed information, error-checking, and providing basic security, can quickly seem a daunting task.
And still, sometimes, the spambots win.
PHP provides a simple solution: the HTML code, i.e. the web page code that your browser sees, does not contain your e-mail address.
Your target e-mail address is handled behind the scenes; PHP creates the mail message from the form contents, and sends it on, without ever exposing the address to a bot.
There can be downsides. First, you need to write the code: code for the HTML form, form handling, return e-mail validation, etc. Our script makes it easy. Reference the script from a PHP page:
Which produces the following form:
Please send us your feedback:
You will need to change one line of code:
$mail_target = 'email@example.com';
to whatever e-mail address you wish your messages directed to.
Tip: do not use your primary e-mail address. It's easier to manage your e-mail if it's directed to a mailbox dedicated only to site feedback. If this e-mail address ever becomes compromised, it's easier to change without mucking up your personal and other lives as well ... Most web site hosting companies give you 100 e-mail name aliases or more; most plain-vanilla web accounts give you five or more e-mail addresses.
In brief, some malicious entity - usually a spambot, not a person, since one site, one form, offer little return for the effort involved - inserts e-mail header code into the Name or E-mail address input fields, i.e.
The %0A is code for a line feed, and Bcc: specifies a header for a blind carbon copy, i.e. another person who will be spammed with the message attached. Worse, the Content-Type: header can be used to attach malicious file content to these messages.
The contact.php script looks for such attacks. If you would like to be informed of such attacks, leave the line
$notify_injections = true;
set to true. To turn off these notifications, change 'true' to 'false'. E-mail injections will still be detected and stopped, but you won't be mailed with the results.
The form is easily customized to appear however you want - just adapt the Cascading Style Sheet definitions between the <STYLE> tags in the form.
As is, the form also requires that anyone submitting feedback enter both a name, a return e-mail address, and a message. If any of these are blank, the script presents a message requesting the required data. The e-mail address is validated, i.e. checked that it matches proper e-mail address syntax. If it doesn't, the script returns a request for a valid address.
The e-mail validation script is our own, and is described in detail in another article. If you care, or if you're interested in learning about Regular Expression matching, follow the link.
This PHP script is released under the terms of the GNU General Public License, i.e. free for you to use, modify, and even redistribute under the terms of this license - see http://www.gnu.org/copyleft/gpl.html for further details.