PHP contact form help

alfred_e_neuman · 01-17-2013, 08:02 AM

Hi to all. This seems to be my week for asking questions, I guess.

Yesterday, we had a massive email attack which we believe was caused by a bot that harvested the email address from the contact form on our Web site. The file is named mail.php, and contains the following lines:

Code:

<?php
$ToEmail = 'recipient@ourcompany.com';
$EmailSubject = 'Company website contact form ';
$mailheader = "From: ".$_POST["email"]."\r\n";
~

I thought that simply replacing the email address of the recipient with the ascii equivalent in "$ToEmail", so as to obfuscate the address, would do the trick. Unfortunately, that fails. Can anyone show me how to do this correctly?

Many thanks.

thesnow · 01-17-2013, 09:11 AM

Can you post the error message and any other relevant lines of code?

TB0ne · 01-17-2013, 09:13 AM

Quote:

Originally Posted by alfred_e_neuman

Hi to all. This seems to be my week for asking questions, I guess.
Yesterday, we had a massive email attack which we believe was caused by a bot that harvested the email address from the contact form on our Web site. The file is named mail.php, and contains the following lines:

I thought that simply replacing the email address of the recipient with the ascii equivalent in "$ToEmail", so as to obfuscate the address, would do the trick. Unfortunately, that fails. Can anyone show me how to do this correctly?

Why do you say it fails? If it's because you continue to get spam....well, they already HAVE your address. Changing the address on the form won't do much, unless you know they're shoveling it through your PHP form, which is a possibility. You could always rename the page with the contact form on it, which would break any links/programs that spam bots are using, but it would be invisible to your users, since all they'll do is click the "Contact Us" button.

First thing I'd do is to create another mail address for that user, and just forward all emails from the original, compromised user to it, through your spam filter. That should cut things down dramatically (what spam filter are you using?) There are lots of good ways to hid addresses in PHP, some simple, some harder. These two pages have some good ideas:
http://csarven.ca/hiding-email-addresses
http://www.givegoodweb.com/post/67/php-email-obfuscate

The second link is my preferred method.

alfred_e_neuman · 01-17-2013, 11:44 AM

I'm not getting any more spam; I took care of that part by changing the email address. I obviously don't want a repeat of what we encountered earlier.

What I mean by "it fails" is that, if I substitute in the recipient email address sales@tld.com in ascii rather than text, the contact form info isn't mailed. Can I put ascii in "$ToEmail =" and, if so, how do I need to enter it?

TB0ne · 01-17-2013, 01:59 PM

Quote:

Originally Posted by alfred_e_neuman

I'm not getting any more spam; I took care of that part by changing the email address. I obviously don't want a repeat of what we encountered earlier.

What I mean by "it fails" is that, if I substitute in the recipient email address sales@tld.com in ascii rather than text, the contact form info isn't mailed. Can I put ascii in "$ToEmail =" and, if so, how do I need to enter it?

Yes, you can put it in ASCII or hex...the first link I posted has examples on how to do it. Also, you may want to try this handy little PHP function, hide_email:

Call it with:

Code:

<?php echo hide_email('sales@ltd.com'); ?>

...and the function itself:

Code:

function hide_email($email) { $character_set = '+-.0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'; 
$key = str_shuffle($character_set); 
$cipher_text = ''; 
$id = 'e'.rand(1,999999999); 
for ($i=0;$i<strlen($email);$i+=1) $cipher_text.= $key[strpos($character_set,$email[$i])]; 
$script = 'var a="'.$key.'";var b=a.split("").sort().join("");var c="'.$cipher_text.'";var d="";'; 
$script.= 'for(var e=0;e<c.length;e++)d+=b.charAt(a.indexOf(c.charAt(e)));'; 
$script.= 'document.getElementById("'.$id.'").innerHTML="<a href=\\"mailto:"+d+"\\">"+d+"</a>"'; 
$script = "eval(\"".str_replace(array("\\",'"'),array("\\\\",'\"'), $script)."\")"; 
$script = '<script type="text/javascript">/*<![CDATA[*/'.$script.'/*]]>*/</script>'; 
return '<span id="'.$id.'">[javascript protected email address]</span>'.$script; }

If you use that, the link on your page will be just "sales@ltd.com". If someone tries to view the source of the page to scrape the address, however, it'll look something like:

Code:

<span id="e790368416">[javascript protected email address]</span>
<script type="text/javascript">/*<![CDATA[*/eval("var a=\"nfcI46vymj8-W7aRh0pigQqoK329ruH.
skSLtGFwxDYXb+EO@ZUAlCJPT_dVez51NMB\";var b=a.split(\"\").sort().join(\"\");var c=\"e+Ve7e+VecXPC\";
var d=\"\";for(var e=0;e<c.length;e++)d+=b.charAt(a.indexOf(c.charAt(e)));
document.getElementById(\"e790368416\").innerHTML=\"<a href=\\\"mailto:\"+d+\"\\\">\"+d+\"</a>\"")/*]]>*/
</script>

YankeePride13 · 01-17-2013, 02:25 PM

@OP

If you have a mailto link on your page, remove it and substitute it for a form that will send the e-mail via hidden server-side PHP scripts to the address that will then be undisclosed. Place a captcha on this page so that you can restrict form submissions to those that can properly read the captcha and submit the accurate captcha response and not page-scraping bots.

alfred_e_neuman · 01-17-2013, 02:31 PM

TBone, forgive my stupidity, but where would those lines go in my php file?

TB0ne · 01-17-2013, 03:50 PM

Quote:

Originally Posted by alfred_e_neuman

TBone, forgive my stupidity, but where would those lines go in my php file?

That's up to you. Put the "echo" line that calls the routine wherever you put your mail address now. Put the rest of it somewhere on your current PHP page.

alfred_e_neuman · 01-17-2013, 04:18 PM

I think I've provided incomplete and unclear information to you about my issue. Apologies. Oh, and did I say that I didn't write this (programmer long gone, and out-of-touch), am tasked with fixing it, and am not really a programmer. There, I've come out! :-)

On our Web site, we have a contact page. Here's a code snippet from it:

Code:

    <h1>CONTACT FORM
    </h1><br />
      <br />
     <form action="mail.php" method="POST" name="contact_form" onsubmit="return validate()"  style="margin:0px;">
     <span class="fields"><strong>Dealership Name</strong> (required):</span>
        <input name="dealership" type="text" class="frmField1" id="dealership" />

	  <span class="fields"><strong>Contact Name</strong> (required):</span>
        <input name="contact_name" type="text" class="frmField1" id="contact_name" />

 <span class="fields"><strong>Address</strong> (required):</span>
       <input name="address" type="text" class="frmField1" id="address"/>

 <span class="fields"><strong>City</strong> (required):</span>
       <input name="city" type="text" class="frmField1" id="city"/>

	 <span class="fields"><strong>State</strong> (required):</span>
      <input name="state" type="text" class="frmField1" id="state" />

	  <span class="fields"><strong>ZIP</strong> (required):</span>
      <input name="zip" type="text" class="frmField1" id="zip" maxlength="5"  />

 <span class="fields"><strong>Phone</strong> (required):</span>
      <input name="phone" type="text" class="frmField1" id="phone" />

 <span class="fields"><strong>E-mail</strong> (required):</span>
     <input name="email" type="text" class="frmField1" id="email" />

	 <span class="fields"><strong>Comments:</strong></span>
       <textarea name="comments" cols="45" rows="5" class="frmField2" id="comments"></textarea>


      <input type="image" src="http://www.linuxquestions.org/questions/images/send.jpg" width="152" height="40" alt="Submit Form" border="0">

      </form>
	  <br />
  </div>
  </div>

As can be seen in the snippet, there's a form submission button. Also, there's reference to mail.php, which looks like this:

Code:

<?php
$ToEmail = 'sales@mycompany.com';
$EmailSubject = 'Mycompany website contact form ';
$mailheader = "From: ".$_POST["email"]."\r\n";
$mailheader .= "Reply-To: ".$_POST["email"]."\r\n";
$mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n";
$MESSAGE_BODY .= "Dealership: ".$_POST["dealership"]."<br>";
$MESSAGE_BODY .= "Name: ".$_POST["contact_name"]."<br>";
$MESSAGE_BODY .= "Address: ".$_POST["address"]."<br>";
$MESSAGE_BODY .= "City: ".$_POST["city"]."<br>";
$MESSAGE_BODY .= "State: ".$_POST["state"]."<br>";
$MESSAGE_BODY .= "Zip: ".$_POST["zip"]."<br>";
$MESSAGE_BODY .= "Phone: ".$_POST["phone"]."<br>";
$MESSAGE_BODY .= "Email: ".$_POST["email"]."<br>";
$MESSAGE_BODY .= "Comments: ".nl2br($_POST["comments"])."<br>";
mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Mycompany Corporation</title>
<link href="script-css/style_inner.css" rel="stylesheet" type="text/css" />
<link href="script-css/slider.css" rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="script-css/nivo-slider.css" type="text/css" media="screen" />

<script src="script-css/jquery.js"></script>
<script src="script-css/modernizr.js"></script>

<script>
$(document).ready(function(){

if(!Modernizr.input.placeholder){

	$('[placeholder]').focus(function() {
	  var input = $(this);
	  if (input.val() == input.attr('placeholder')) {
		input.val('');
		input.removeClass('placeholder');
	  }
	}).blur(function() {
	  var input = $(this);
	  if (input.val() == '' || input.val() == input.attr('placeholder')) {
		input.addClass('placeholder');
		input.val(input.attr('placeholder'));
	  }
	}).blur();
	$('[placeholder]').parents('form').submit(function() {
	  $(this).find('[placeholder]').each(function() {
		var input = $(this);
		if (input.val() == input.attr('placeholder')) {
		  input.val('');
		}
	  })
	});

}

});
</script>

<script type="text/javascript" src="script-css/lytebox.js"></script>
<link rel="stylesheet" type="text/css" href="script-css/lytebox.css" media="screen" />
<script type="text/javascript">

			$(function() {

				$("#tabs").tabs({ selected: 0 });

			});



			function initalizeGoogleMaps() {

				frames['lbIframe'].initialize();

			}



			var bMobileDevice = $lb.isMobile();



			// Show the Steve Jobs tribute.

			function showTribute() {

				$lb.launch({

					url: "steve_jobs.png",

					options: "showPrint:true",

					title: "Steve Jobs, 1955-2011",

					description: '<a href="https://www.cancer.org/Involved/Donate/index" target="_blank" onclick="trackDownload(\'ACS Donate\')">Click here to make a donation to the American Cancer Society</a>'

				});

			}



			// This will reparse the page to enable FB Like buttons that were added after page load (dynamically, that is).

			function fbParse() {

				// <fb:like href='http://lytebox.com' send='true' width='50' layout='button_count' show_faces='false' action='like' font=''></fb:like>

				FB.XFBML.parse();

			}

		</script>
</head>

<body>
<div id="warper">
  <div id="header1">
    <div class="logo"><img src="http://www.linuxquestions.org/questions/images/logo.jpg" width="290" height="135" alt="" /></div>
    <div id="login"><a href="login.html" class="c">Login Here</a></div>
    <div id="tag_line">At Mycompany Corporation, our goal is to<br>be successful.</div>
    <div id="nav">
             <ul id="sddm">
              <li><a href="index.html">HOME</a></li>
              <li><a href="about.html">ABOUT US</a></li>
              <li><a href="#">DEALERS</a></li>
              <li><a href="#">CUSTOMERS</a></li>
              <li><a href="contact_us.html">CONTACT US</a></li>
            </ul>
    </div>
  </div>

  <div id="content1">

  <div class="left">
    <div class="left_txt"><h1>OUR ADDRESS</h1><br />
<br />
<h2>P.O. Box 1111
<br />
Somewhere, USA 00000.</h2>

<span class="maintxt1">Telephone: 888 888 8888 <br />
FAX: 888 8888 8889
<br />
E-mail: <a href="mailto:THIS IS WRITTEN IN ASCII" class="d">THIS IS WRITTEN IN ASCII</a></span><br />
<br />
<h2>Borrowers can contact our Customer Service Department here: <a href="mailto:THIS IS WRITTEN IN ASCII" class="d">THIS IS WRITTEN IN ASCII</a></h2></div>
  </div>

  <div class="right">

      <h6>Thank you for contacting us! We'll be in touch soon.</h6>

  </div>

  </div>

</div>

<div id="footer">
  <div id="f_txt"><table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td align="center">Copyright © 2012 Mycompany Corporation.  All Rights Reserved.    <a href="privacy_policy.html" class="lytebox" data-lyte-options="width:600 height:440">Privacy Policy</a> |  <a href="terms_of_use.html" class="lytebox" data-lyte-options="width:600 height:440">Terms of Use</a>

       </td>
  </tr>
</table>
</div>


</div>

</body>
</html>

Given this, I need for the submit button to work, but for the email address in mail.php to be obfuscated. Hope I'm being clear, and not being to big a pita.

YankeePride13 · 01-18-2013, 07:36 AM

Quote:

Originally Posted by alfred_e_neuman

I think I've provided incomplete and unclear information to you about my issue. Apologies. Oh, and did I say that I didn't write this (programmer long gone, and out-of-touch), am tasked with fixing it, and am not really a programmer. There, I've come out! :-)

On our Web site, we have a contact page. Here's a code snippet from it:

Code:

    <h1>CONTACT FORM
    </h1><br />
      <br />
     <form action="mail.php" method="POST" name="contact_form" onsubmit="return validate()"  style="margin:0px;">
     <span class="fields"><strong>Dealership Name</strong> (required):</span>
        <input name="dealership" type="text" class="frmField1" id="dealership" />

	  <span class="fields"><strong>Contact Name</strong> (required):</span>
        <input name="contact_name" type="text" class="frmField1" id="contact_name" />

 <span class="fields"><strong>Address</strong> (required):</span>
       <input name="address" type="text" class="frmField1" id="address"/>

 <span class="fields"><strong>City</strong> (required):</span>
       <input name="city" type="text" class="frmField1" id="city"/>

	 <span class="fields"><strong>State</strong> (required):</span>
      <input name="state" type="text" class="frmField1" id="state" />

	  <span class="fields"><strong>ZIP</strong> (required):</span>
      <input name="zip" type="text" class="frmField1" id="zip" maxlength="5"  />

 <span class="fields"><strong>Phone</strong> (required):</span>
      <input name="phone" type="text" class="frmField1" id="phone" />

 <span class="fields"><strong>E-mail</strong> (required):</span>
     <input name="email" type="text" class="frmField1" id="email" />

	 <span class="fields"><strong>Comments:</strong></span>
       <textarea name="comments" cols="45" rows="5" class="frmField2" id="comments"></textarea>


      <input type="image" src="http://www.linuxquestions.org/questions/images/send.jpg" width="152" height="40" alt="Submit Form" border="0">

      </form>
	  <br />
  </div>
  </div>

As can be seen in the snippet, there's a form submission button. Also, there's reference to mail.php, which looks like this:

Code:

<?php
$ToEmail = 'sales@mycompany.com';
$EmailSubject = 'Mycompany website contact form ';
$mailheader = "From: ".$_POST["email"]."\r\n";
$mailheader .= "Reply-To: ".$_POST["email"]."\r\n";
$mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n";
$MESSAGE_BODY .= "Dealership: ".$_POST["dealership"]."<br>";
$MESSAGE_BODY .= "Name: ".$_POST["contact_name"]."<br>";
$MESSAGE_BODY .= "Address: ".$_POST["address"]."<br>";
$MESSAGE_BODY .= "City: ".$_POST["city"]."<br>";
$MESSAGE_BODY .= "State: ".$_POST["state"]."<br>";
$MESSAGE_BODY .= "Zip: ".$_POST["zip"]."<br>";
$MESSAGE_BODY .= "Phone: ".$_POST["phone"]."<br>";
$MESSAGE_BODY .= "Email: ".$_POST["email"]."<br>";
$MESSAGE_BODY .= "Comments: ".nl2br($_POST["comments"])."<br>";
mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Mycompany Corporation</title>
<link href="script-css/style_inner.css" rel="stylesheet" type="text/css" />
<link href="script-css/slider.css" rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="script-css/nivo-slider.css" type="text/css" media="screen" />

<script src="script-css/jquery.js"></script>
<script src="script-css/modernizr.js"></script>

<script>
$(document).ready(function(){

if(!Modernizr.input.placeholder){

	$('[placeholder]').focus(function() {
	  var input = $(this);
	  if (input.val() == input.attr('placeholder')) {
		input.val('');
		input.removeClass('placeholder');
	  }
	}).blur(function() {
	  var input = $(this);
	  if (input.val() == '' || input.val() == input.attr('placeholder')) {
		input.addClass('placeholder');
		input.val(input.attr('placeholder'));
	  }
	}).blur();
	$('[placeholder]').parents('form').submit(function() {
	  $(this).find('[placeholder]').each(function() {
		var input = $(this);
		if (input.val() == input.attr('placeholder')) {
		  input.val('');
		}
	  })
	});

}

});
</script>

<script type="text/javascript" src="script-css/lytebox.js"></script>
<link rel="stylesheet" type="text/css" href="script-css/lytebox.css" media="screen" />
<script type="text/javascript">

			$(function() {

				$("#tabs").tabs({ selected: 0 });

			});



			function initalizeGoogleMaps() {

				frames['lbIframe'].initialize();

			}



			var bMobileDevice = $lb.isMobile();



			// Show the Steve Jobs tribute.

			function showTribute() {

				$lb.launch({

					url: "steve_jobs.png",

					options: "showPrint:true",

					title: "Steve Jobs, 1955-2011",

					description: '<a href="https://www.cancer.org/Involved/Donate/index" target="_blank" onclick="trackDownload(\'ACS Donate\')">Click here to make a donation to the American Cancer Society</a>'

				});

			}



			// This will reparse the page to enable FB Like buttons that were added after page load (dynamically, that is).

			function fbParse() {

				// <fb:like href='http://lytebox.com' send='true' width='50' layout='button_count' show_faces='false' action='like' font=''></fb:like>

				FB.XFBML.parse();

			}

		</script>
</head>

<body>
<div id="warper">
  <div id="header1">
    <div class="logo"><img src="http://www.linuxquestions.org/questions/images/logo.jpg" width="290" height="135" alt="" /></div>
    <div id="login"><a href="login.html" class="c">Login Here</a></div>
    <div id="tag_line">At Mycompany Corporation, our goal is to<br>be successful.</div>
    <div id="nav">
             <ul id="sddm">
              <li><a href="index.html">HOME</a></li>
              <li><a href="about.html">ABOUT US</a></li>
              <li><a href="#">DEALERS</a></li>
              <li><a href="#">CUSTOMERS</a></li>
              <li><a href="contact_us.html">CONTACT US</a></li>
            </ul>
    </div>
  </div>

  <div id="content1">

  <div class="left">
    <div class="left_txt"><h1>OUR ADDRESS</h1><br />
<br />
<h2>P.O. Box 1111
<br />
Somewhere, USA 00000.</h2>

<span class="maintxt1">Telephone: 888 888 8888 <br />
FAX: 888 8888 8889
<br />
E-mail: <a href="mailto:THIS IS WRITTEN IN ASCII" class="d">THIS IS WRITTEN IN ASCII</a></span><br />
<br />
<h2>Borrowers can contact our Customer Service Department here: <a href="mailto:THIS IS WRITTEN IN ASCII" class="d">THIS IS WRITTEN IN ASCII</a></h2></div>
  </div>

  <div class="right">

      <h6>Thank you for contacting us! We'll be in touch soon.</h6>

  </div>

  </div>

</div>

<div id="footer">
  <div id="f_txt"><table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td align="center">Copyright © 2012 Mycompany Corporation.  All Rights Reserved.    <a href="privacy_policy.html" class="lytebox" data-lyte-options="width:600 height:440">Privacy Policy</a> |  <a href="terms_of_use.html" class="lytebox" data-lyte-options="width:600 height:440">Terms of Use</a>

       </td>
  </tr>
</table>
</div>


</div>

</body>
</html>

Given this, I need for the submit button to work, but for the email address in mail.php to be obfuscated. Hope I'm being clear, and not being to big a pita.

The variables in mail.php, and the code to send the mail, will never be seen to someone who visits your contact page. PHP scripts are executed on the server and only html/javascript will be seen by the user in your case. To see this, visit your contact page hit submit and then do a View Source on your browser and see if you can find the e-mail address.

hpfeil · 01-19-2013, 12:18 PM

You can start by upgrading PHP to Version 5.4.11.
They fixed over a dozen security-related bugs on 17Jan2013.

http://www.php.net/ChangeLog-5.php