From: <>

**Bosconian** · Dec 7 '06, 05:15 AM

Re: <>

"D" <daudaniel@hotm ail.comwrote in message
news:1165467303 .130255.286790@ j72g2000cwa.goo glegroups.com.. .

Hi,
>
I have created a contact form in php for contact information and have
amde the e-mail a required field (requires you to input at least the
"@")
>
It works fine, but every once in a while I get blank e-mails with this
in the "from" field:
>
From: <>
>
>
Anyone have any idea how someone could have sent the form and make it
appear like that?
>
Thanks in advance.
>

I'm not sure why the blank "from" field is sneaking through, but a slightly
more robust validation will prevent it. There are plenty of regular
expression patterns around that would do the job nicely.

**Jerry Stuckle** · Dec 7 '06, 11:45 AM

Re: From: <>

D wrote:

Hi,
>
I have created a contact form in php for contact information and have
amde the e-mail a required field (requires you to input at least the
"@")
>
It works fine, but every once in a while I get blank e-mails with this
in the "from" field:
>
From: <>
>
>
Anyone have any idea how someone could have sent the form and make it
appear like that?
>
Thanks in advance.
>

How are you validating the field? If you're using javascript, perhaps
they have it disabled. If you're using PHP, perhaps you have a security
hole - for instance, do you check your Subject line for the presence of
newline characters?

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

D · Dec 7 '06, 01:15 PM

Re: From: <>

I am using php. This is my script:

<?php

/* PHP Document */

/* Define a dónde va el e-mail, y el subject */

define ('MAILTO', 'myemail@somewh ere.com');
define ('MAILSUBJECT', 'Contact Form');

define ('REDIRECT', 'http://www.google.com' );

/* Define el header del e-mail*/

$headers = "From: {$_POST['name']} <{$_POST['email']}>\r\n" .
"Content-Type: text/plain; charset=\"iso-8859-1\"";

/* Captura los valores del formulario */

$message = <<<EOM
Contact form:

Name: {$_POST['name']}
E-mail: {$_POST['email']}

Phone: {$_POST['phone']}

Address:
{$_POST['address']}
{$_POST['city']} {$_POST['state']} {$_POST['zip']}

Comments:
{$_POST['comments']}

EOM;

mail (MAILTO, MAILSUBJECT, $message, $headers);
header ('Location: ' . REDIRECT);

?>

**Jerry Stuckle** · Dec 7 '06, 01:55 PM

Re: From: <>

D wrote:

I am using php. This is my script:
>
<?php
>
/* PHP Document */
>
/* Define a dónde va el e-mail, y el subject */
>
define ('MAILTO', 'myemail@somewh ere.com');
define ('MAILSUBJECT', 'Contact Form');
>
define ('REDIRECT', 'http://www.google.com' );
>
>
/* Define el header del e-mail*/
>
$headers = "From: {$_POST['name']} <{$_POST['email']}>\r\n" .
"Content-Type: text/plain; charset=\"iso-8859-1\"";
>
/* Captura los valores del formulario */
>
$message = <<<EOM
Contact form:
>
Name: {$_POST['name']}
E-mail: {$_POST['email']}
>
Phone: {$_POST['phone']}
>
Address:
{$_POST['address']}
{$_POST['city']} {$_POST['state']} {$_POST['zip']}
>
Comments:
{$_POST['comments']}
>
EOM;
>
mail (MAILTO, MAILSUBJECT, $message, $headers);
header ('Location: ' . REDIRECT);
>
?>
>

This is a very insecure script. You are not doing any validation on any
of the fields. Rather, you're just taking whatever the use inputs and
put it in your form.

As soon as spammers find this page, they will be able to take advantage
of it sends thousands or millions of spam messages from your site. I'm
sure that won't make you very popular with your hosting service.

I'd suggest you drop this one and get one of the more recent form mail
scripts. Most have decent validation in their scripts.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Michael Fesser** · Dec 7 '06, 09:15 PM

Re: From: <>

..oO(D)

>$headers = "From: {$_POST['name']} <{$_POST['email']}>\r\n" .

This line allows header injection. Never (never!) use user-submitted
data for anything without proper validation.

Micha