PHP mail form: Secure & Protected w/ CAPTCHA

Home Forums Languages PHP & MySQL PHP mail form: Secure & Protected w/ CAPTCHA

Tagged: , , ,

This topic contains 0 replies, has 1 voice, and was last updated by  echo 2 years, 8 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #15506

    echo
    Participant

    This isn’t super important, but I’m itching to find out what’s wrong.

    In order to curb a slightly annoying spam problem from getting out of hand like what happened w/ 2 older script installations, I decided to add a CAPTCHA to a contact form I have up on echoing.org. I’ve been getting 3-8 spam messages daily from it.

    The code mostly came from Jem’s PHP mail form tutorial on tutorialtastic circa 2007. At some point I updated the form on different sites to use a CAPTCHA.

    Out of laziness, instead of recoding the echoing.org form, I just copied & pasted one of the updated forms and changed the necessary details like which e-mail address, URL, etc. Unfortunately, this hasn’t worked out properly.

    For some reason the CAPTCHA image isn’t being displayed. Could someone please take a look at the code and tell me what went wrong? I’d be ever so grateful for any help!
    The code for the form itself:

    <form method="post" action="mail-e.php">
    <p><input type="text" name="name" id="name" value="who are you?" size="25" /></p>
    <p><input type="text" name="email" id="email" value="you@whatever.bla" size="25" /></p>
    <p><input type="text" name="url" id="url" value="http://" size="25" /></p>
    <p><textarea name="comments" id="comments" rows="1" cols="20">Go on, then. Tell me a story, wingy!</textarea></p>
    <p><img src="http://echoing.org/captcha.php" alt="humanity check" /><br />
    <input type="text" name="captcha" id="captcha" /> <br />
    <p><input type="submit" name="submit" id="submit" value="sing to me" /> 
    <input type="reset" name="reset" id="reset" value="out of key" /></p>
    </form>

    mail-e.php:

    <?php
    session_start();
    
    //Encrypt the posted code field and then compare with the stored key
    
    if(md5($_POST['captcha']) != $_SESSION['key'])
    {
      die("Error: You must enter the code correctly");
    }else{
      echo 'You entered the code correctly';
    }
    ?>
    
    <?php
    if (!isset($_POST['submit'])) {
    include('./header.php');
       echo "<h1>HEY!!! You just encountered an error!</h1>\n
          <p>You don't belong here. <strong>Because it's <em>wrong</em>.</strong> Go back and try again, please.</p>";
    include('./footer.php');
       exit;
    }
    
    function cleanUp($data) {
       $data = strip_tags($data);
       $data = trim(htmlentities($data));
       return $data;
    }
    
    $name      = cleanUp($_POST['name']);
    $email     = cleanUp($_POST['email']);
    $url       = cleanUp($_POST['url']);
    $comments  = cleanUp($_POST['comments']);
    
    if ((empty($name)) || (empty($email)) || (empty($comments))) {
    include('./header.php');
       echo "<h2>Input Error! Looks like you missed some stuff.</h2>\n
         <p><strong>Name</strong>, <strong>e-mail</strong> and <strong>comments</strong> are required fields. Please fill them in and try again:</p>";
    
       echo "<form action=\"mail-e.php\" method=\"post\"><p>";
       echo "<input type=\"text\" name=\"name\" id=\"name\" value=\"$name\" /> Name<br />";
       echo "<input type=\"text\" name=\"email\" id=\"email\" value=\"$email\" /> E-mail<br />";
       echo "<input type=\"text\" name=\"url\" id=\"url\" value=\"$url\" /> Site URL<br />";
       echo "<textarea name=\"comments\" id=\"comments\">$comments</textarea> Comments<br />";
       echo "<img src=\"http://echoing.org/captcha.php\" alt=\"humanity check\" style=\"margin-bottom: 2px;\" /><br />";
       echo "<input type=\"text\" name=\"captcha\" id=\"captcha\" /> <br />";
       echo "<input type=\"submit\" name=\"submit\" id=\"submit\" value=\"Send\" />";
       echo "</p></form>";
    include('./footer.php');
    
       exit;
    }
    
    if (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$",$email)) {
    include('./header.php');
    echo "<h2>Input Error</h2>\n
    <p>That e-mail address you entered - \"$email\" - is <em>not</em> a valid electronic address. Please edit it and send it in again, please:</p>";
    
       echo "<form action=\"mail-e.php\" method=\"post\"><p>";
       echo "<input type=\"text\" name=\"name\" id=\"name\" value=\"$name\" /> Name<br />";
       echo "<input type=\"text\" name=\"email\" id=\"email\" value=\"$email\" /> E-mail<br />";
       echo "<input type=\"text\" name=\"url\" id=\"url\" value=\"$url\" /> Site URL<br />";
       echo "<textarea name=\"comments\" id=\"comments\">$comments</textarea> Comments<br />";
       echo "<img src=\"captcha.php\" alt=\"humanity check\" style=\"margin-bottom: 2px;\" /><br />";
       echo "<input type=\"text\" name=\"captcha\" id=\"captcha\" /> <br />";
       echo "<input type=\"submit\" name=\"submit\" id=\"submit\" value=\"Send\" />";
       echo "</p></form>";
    include('./footer.php');
    
       exit;
    }
    
    $email = preg_replace("([\r\n])", "", $email);
    
    $find = "/(content-type|bcc:|cc:)/i";
    if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments)) {
    include('./header.php');
       echo "<h1>Error</h1>\n
          <p>No meta/header injections, please.</p>";
    include('./footer.php');
       exit;
    }
    
    $recipient = "my email address is here";
    $subject   = "paint me a wish on a velvet sky";
    
    $message   = "Name: $name \n";
    $message  .= "E-mail: $email \n";
    $message  .= "URL: $url \n";
    $message  .= "Comments: $comments";
    
    $headers   = "From: a wish painted on the velvet sky \r\n";
    $headers  .= "Reply-To: $email";
    
    if (mail($recipient,$subject,$message,$headers)) {
    include('./header.php');
       echo "<<p>WOO HOO! Your message was successfully sent to me! I'll read it as soon as I can. I may even respond! Thanks for using the form, fruitcake :)</p>";
    include('./footer.php');
    } else {
    include('./header.php');
       echo "<p>Something went awry. Your message didn't go through. Want to take another crack at it? Please do, I'd love to hear from you!</p>";
    include('./footer.php');
    }
    ?>

    captcha.php

    <?php
    //Start the session so we can store what the code actually is.
    session_start();
    
    //Now lets use md5 to generate a totally random string
    $md5 = md5(microtime() * mktime());
    
    /*
    We dont need a 32 character long string so we trim it down to 5
    */
    $string = substr($md5,0,5);
    
    /*
    Now for the GD stuff, for ease of use lets create
     the image from a background image.
    */
    
    $captcha = imagecreatefromjpeg("http://echoing.org/captcha.jpg");
    
    /*
    Lets set the colours, the colour $line is used to generate lines.
     Using a blue misty colours. The colour codes are in RGB
    */
    
    $black = imagecolorallocate($captcha, 0, 0, 0);
    $line = imagecolorallocate($captcha,233,239,239);
    
    /*
    Now to make it a little bit harder for any bots to break, 
    assuming they can break it so far. Lets add some lines
    in (static lines) to attempt to make the bots life a little harder
    */
    imageline($captcha,0,0,39,29,$line);
    imageline($captcha,40,0,64,29,$line);
    
    /*
    Now for the all important writing of the randomly generated string to the image.
    */
    imagestring($captcha, 5, 20, 10, $string, $black);
    
    /*
    Encrypt and store the key inside of a session
    */
    
    $_SESSION['key'] = md5($string);
    
    /*
    Output the image
    */
    header("Content-type: image/jpeg");
    imagejpeg($captcha);
    ?> 

    I don’t know where it all went wrong as I’m using pretty much the same code without problems here, here and here.

    P.S. The link to the CAPTCHA image wasn’t always http://echoing.org/captcha.php. On the other forms and initially with this one the code was ./captcha.php but I changed it in case that was the problem. Looks like it isn’t.

    P.P.S. The form isn’t really being used presently, but as I said, not knowing is driving me bonkers! ;)

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.