validation to send email/message

[Ante0]

Hi, I'm using this php script I made myself...
On my website I have a page called Contact, so you can send an email to me using a simple form.
To decrease spam messages I added a simple validation script:

contact.php
$num1 = rand(1,20);
$num2 = rand(1,20);

<input type="hidden" name="numb1" value="<?php echo $num1 ?>" />
<input type="hidden" name="numb2" value="<?php echo $num2 ?>" />

<span class="style1">What is: <?php echo $num1 . "+" . $num2 . "?" ?></span>
<input type="text" name="validator" size="35" /> 
<input type="submit" value="Send Mail" />

send.php

$sum1 = $_POST['numb1']+$_POST['numb2'];

if ($sum1 != $_POST['validator']) {
die ("Validation code is not correct!");
}

That's the code I use to validate..
Question is, how safe is it against spam bots?
Could they just take for example 15+15 and turn it into 30 then paste it into the text box and send?
Should I use captcha or something instead to be on the safe side`?

 

[jpadie]

It's a start. clever bots will work it out. if your site is high traffic, the spammers will code for it.

and more importantly it's a bit of a barrier for genuine visitors to your site.

try it out and see whether it works for you.

alternatively I have posted an alternative to captcha that i think is pretty good against spam bots. you can find it here

 

[DonQuichote]

You should never rely on hidden values. In fact, if you submit the form with only the "mail" parameters, your validation is 0+0=0 and will pass (depending on your error trapping).

It is better to use a session and keep the answer in the session. Humanize ("thirty-three" instead of 33) it, and you effectively built yourself a captcha. How good it is, only experience can tell. A lot of captchas can be broken with enough effort. If your site is worth the effort, your captcha should be really good.

One of my tricks if asking to leave a field empty (or hiding it with css "white on white" colouring). Most bots just enter random data in all fields to prevent incomplete submissions.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[DonQuichote]

By the way, I hope you also validate against header injections. If you encounter a newline character in any part of the mail message that is not the body (for instance, the subject must not contain newlines), don't send the mail.



+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[Ante0]

PostDonQuichote (Programmer)
10 Oct 08 15:51
By the way, I hope you also validate against header injections. If you encounter a newline character in any part of the mail message that is not the body (for instance, the subject must not contain newlines), don't send the mail.

I read about this yesterday.
Now, my site has been up for about a week, and has has ~100 visitors.
So I don't think there'll be any spam attacks anytime soon, but I guess I should use something more safe.

 

[jpadie]

you'll never know (or may never know) whether someone is misusing a comment email form. there are ways to take advantage of badly coded form processing code in order to use it as an open relay.

we can help you if you post the code you use. Also consider using phpmailer as the engine for your mails as this will, to some degree, help avoid these attack vectors.

 

[Ante0]

Contact.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[/URL]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Email Form </title>
<style type="text/css">
<!--
.style1 {
	font-family: Arial, Helvetica, sans-serif;
	font-size: 10px;
}
-->
</style>
</head>
<body bgcolor="#000000" text="#FFFFFF">

<form method="post" action="sendeail.php">

<?php
$num1 = rand(1,20);
$num2 = rand(1,20);
$ipi = getenv("REMOTE_ADDR");
$httprefi = getenv("HTTP_REFERER");
$httpagenti = getenv("HTTP_USER_AGENT");
?>

<input type="hidden" name="ip" value="<?php echo $ipi ?>" />
<input type="hidden" name="httpref" value="<?php echo $httprefi ?>" />
<input type="hidden" name="httpagent" value="<?php echo $httpagenti ?>" />
<input type="hidden" name="numb1" value="<?php echo $num1 ?>" />
<input type="hidden" name="numb2" value="<?php echo $num2 ?>" />

<span class="style1">Your Name: </span><br />
<input type="text" name="visitor" size="35" />
<br />
<span class="style1">Your Email:</span><br />
<input type="text" name="visitormail" size="35" />
<br /> <br />
<span class="style1">Mail Message:</span><br />
<textarea name="notes" rows="4" cols="40"></textarea><br /><br />
<span class="style1">Spam Protection</span><br />
<span class="style1">What is: <?php echo $num1 . "+" . $num2 . "?" ?></span><br />
<input type="text" name="validator" size="35" /> 
<br /><br />
<input type="submit" value="Send Mail" />
<br />
</form>

</body>
</html>

sendeail.php

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Sendemail Script</title>
<link rel="stylesheet" style="text/css" href="css.css">
<style type="text/css">
<!--
.style1 {
	font-family: Arial, Helvetica, sans-serif;
	font-size: 20px;
}
-->
</style>
</head>
<body bgcolor="#000000" text="#FFFFFF">

<!-- Reminder: Add the link for the 'next page' (at the bottom) -->
<!-- Reminder: Change 'YourEmail' to Your real email -->

<?php

$ip = $_POST['ip'];
$visitor = $_POST['visitor'];
$visitormail = $_POST['visitormail'];
$notes = $_POST['notes'];
$attn = "Email from Ante0.com";
$sum1 = $_POST['numb1']+$_POST['numb2'];

if ($sum1 != $_POST['validator']) {
die ("Validation code is not correct!");
}

if (eregi('http:', $notes)) {
die ("Do NOT try that! ! ");
}
if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,".")))
{
echo "<h2>Use Back - Enter valid e-mail</h2>\n";
$badinput = "<h2>Feedback was NOT submitted</h2>\n";
echo $badinput;
die ("Go back! ! ");
}

if(empty($visitor) || empty($visitormail) || empty($notes )) {
echo "<h2>Use Back - fill in all fields</h2>\n";
die ("Use back! ! ");
}

$todayis = date("l, F j, Y, g:i a") ;

$attn = $attn ;
$subject = $attn;

$notes = stripcslashes($notes);

$message = "
From: $visitor ($visitormail)\n
$notes \n
\n
IP: $ip \n
";

$from = "From: $visitormail\r\n";


mail("myemail@domain.com", $subject, $message, $from);

?>

<p align="center">
<span class="style1">Thanks for your E-Mail, <?php echo $visitor ?> ( <?php echo $visitormail ?> )!
<br />
<br />
<br />
<a href="javascript:window.close();"> Close </a></p>

</body>
</html>

changed my email to "myemail@domain.com" just for privacy
Well, this is all anyhow
I'm not sure how I should implent "\n" detection.