/* AI_ContactForm, version 1.0
PHP Contact Form to E-mail script; validates e-mails and checks against e-mail
header injection
Copyright (C) 2006, Paul Postuma and Ars Informatica

This very simple script offers a number of features:

It produces an easily-modifiable web form for feedback or comments to be
submitted, within any PHP page. It e-mails the results to a specific addressee,
without disclosing this person's address to the internet-crawling software bots
used by spammers.

It guards against e-mail injection attacks, and will warn you of such attempts
if you desire.

It requires that a sender provides both a name and a e-mail address, then
validates the e-mail address format (though it does not prove that said address
is active and belongs to person who sent you the message). Should the user make
a mistake, they are asked to try again.

Form appearance is easily modified by adapting the CSS style tags below.

Throughout, you may alter the messages presented to the form user.

See my site at www.ars-informatica.ca for more details, and other PHP code


This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License (GPL) as published by the Free
Software Foundation; either version 2 of the License, or (at your option) any
later version. 

This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details. 

To read the license please visit http://www.gnu.org/copyleft/gpl.html 



First, the calling PHP code must reference the script:

include 'contact.php';
Next, specify whether you wish to be notified of e-mail injection attacks: set
$notify_injections to either true or false. Specify a $mail_target, i.e., the
e-mail address to which you wish both user feedback and injection attack
notifications to be sent.

That's it - you are now ready to stick a feedback or comment form into any PHP

Still, you might want to customize the form's appearance - simply alter or add
to the CSS style tags, below. And feel free to adapt the messages to your
personal needs.

$notify_injections = true;							//set to false if you don't want to e-mail yourself
										//with notifications of e-mail injection attempts
$mail_target = 'me@mycompany.com';						//specify your e-mail address here
$mail = array('sender' => @$_POST['sender'],					//retrieve POSTed form field data - should match the
	'sender_name' => @$_POST['sender_name'],				//names of the various fields in the <FORM> below
	'subject' => @$_POST['subject']);
$mail_message = @$_POST['message'];

function validate_mail($field, $mail_header) {
//	$mail_header = "a\rBcc:spoof1\rTo:spoof2";				//used for testing the validate_mail function; see docs
	$alert = '';
	if (@preg_match_all("/(\r|\n)([^:]+):/", $mail_header, $m)) foreach($m[0] as $v) $alert .= '<span style="width:100px;font:bold">'.$field.'</span>'.$v.'<br>';			//check for invalid header data
	return $alert;

echo '<style>
h1 { font:bold 14pt verdana }
.alert { font:bold;color:red }
.form_table { border:0;text-align:left;font:bold 8pt Verdana;line-height:24px;width:400px;padding:4px }
.short_input { height:24px;width:190px;font:8pt Verdana;padding:4px }
.long_input { height:24px;width:400px;font:8pt Verdana;padding:4px }
.message_box { width:400px;font:8pt Verdana;padding:4px }
.submit { font:8pt Verdana;padding:2px }

<h1>Contact Us</h1>

$show_form = true;								//by default, show the HTML <FORM>
if ($mail_message != '') {							//if a message has been left, do the following:
	$alert = '';
	foreach ($mail as $k => $v) $alert .= validate_mail($k, $v);		//validate each mail header
	if ($alert != '') {
		if ($notify_injections == true) $mail_result = @mail($mail_target, 'E-mail insertion attack', '<html><body>E-mail injection attempted via header insertion<p><span style="width:100px;font:bold">Remote IP</span>'.@$_SERVER['REMOTE_ADDR'].'<br><span style="width:100px;font:bold">Remote Host</span>'.@$_SERVER['REMOTE_HOST'].'<p><span style="width:100px;text-decoration:underline">form-field</span><u>injected header</u><br>'.$alert.'</body></html>');
		if ($mail_result == 1) {					//thank them for their submission - you don't want to let
			echo 'Your comments have been submitted. Thank you.';	//them know you're aware of their attack, do you?
			$show_form = false;					//and after submission, you need not re-display the form
		else echo 'Unknown error: mail not sent. Please try again.';

	else if (!preg_match("/^[A-Z0-9._%-]+@[A-Z0-9][A-Z0-9.-]{0,61}[A-Z0-9]\.[A-Z]{2,6}$/i", $mail['sender'])) echo '<span class="alert">* A valid e-mail address is required for your comments to be registered *</span>';
										//validate e-mail address - described in accompanying docs

	else if ($mail['sender'] == '' or $mail['sender_name'] == '') echo '<span class="alert">* You must enter your comments and a name and e-mail address for your comments to be registered *</span>';

	else {
		$mail_result = @mail($mail_target, $mail['subject'], $mail_message, "From: $mail[sender_name] ($mail[sender])");
		if ($mail_result == 1) {					//mail function here works as above
			echo 'Your comments have been submitted. Thank you.';
			$show_form = false;
		else echo 'Unknown error: mail not sent. Please try again.';

else echo 'Please send us your feedback:';

if ($show_form == true) echo '<p><form action="'.$_SERVER['PHP_SELF'].'" method="post">
<table class="form_table"><tr><td style="padding:0 15px 0 0">Name:<br>
<input name="sender_name" type="text" maxlength="50" value="'.$mail['sender_name'].'" class="short_input"></td>

<td>E-mail Address:<br>
<input name="sender" type="text" maxlength="50" value="'.@$mail['sender'].'" class="short_input"></td></tr>

<tr><td colspan=2><p>Subject:<br>
<input name="subject" type="text" maxlength="50" value="'.@$mail['subject'].'" class="long_input">

<textarea name="message" rows="30" class="message_box">'.@$mail_message.'</textarea>

<p><input type="submit" name="submit" value="Submit" class="submit">


This source code displayed in HTML format using the freeware source.php by Paul Postuma and Ars Informatica