Aangezien ik net een maandje of wat zo nu en dan kleine PHP scriptjes schrijf en ik veel lees over onveilige forumulieren, vraag ik mij af of mijn formulier veilig genoeg is. Op hoop op opbouwende kritiek. Helaas zie ik regelmatig commentaar van blijkbaar PHP kenners wat je eerder afschikt om uberhaupt iets te durven vragen hier. Maar goed, ik doe een poging.
Groet,
Hans
Hierbij mijn script:
<?php
/*
This is a sample contact form with captcha
create a file captcha.php with the following content:
session_start();
$chiffre = rand(120000,600000);
$_SESSION['chiffre'] = $chiffre;
$im = imagecreate (70, 20);
$background_color = imagecolorallocate ($im, 100, 100, 120);
$text_color = imagecolorallocate ($im, 255, 255, 255);
imagestring ($im, 5, 10, 2,$_SESSION['chiffre'], $text_color);
imagepng ($im);
*/
// this form needs captcha.php
session_start(); // for captcha
// use the correct header for sticky form
header("Cache-Control: private");
// language variables. Change it if necessary
$var0 = "Contact Form"; // Your form name
$var1 = "Please type your email address correctly.";
$var2 = "Please type your email address.";
$var3 = "Please type your name.";
$var4 = "Please type your telephone.";
$var5 = "Please retype the code.";
$var6 = "The retyped code does not correspond.";
$var7 = "Go back";
$var8 = " send you the following message:";
$var9 = "From:";
$var10 = "subject..."; // Type a subject here for the mail message
$var11 = "Thanks for your message";
$var12 = "Your input is send. We shall reply ASAP";
$var13 = "Click here to continue"; // not in use
$var14 = "All fields are required";
$var15 = "Email address: ";
$var16 = "Name: ";
$var17 = "Telephone: ";
$var18 = "Retype the code: ";
$var19 = "Send";
$var20 = "Reset";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title><?php echo $var0; ?></title>
</head>
<body>
<?
// register global stuff...
if ((substr(phpversion(),0,1) <= 3) || ((substr(phpversion(),0,1) == 4) && (substr(phpversion(),2,1) == 0))) {
if (isset($HTTP_POST_VARS)) $_POST =& $HTTP_POST_VARS;
}
if (@get_cfg_var("register_globals") != 1) {
if (isset($_POST)) extract($_POST);
}
// check content of fields before handling the input of the form
if (isset($_POST['submit'])){
$form_ok=true;
// check for valid email address
if(!eregi("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,4})$", $_POST['mail']) && !empty($_POST['mail'])) {
$form_ok=false;
echo $var1."<br />\n";
}
// if empty...
if(empty($_POST['mail'])){
$form_ok=false;
echo $var2."<br />\n";
}
// if empty...
if(empty($_POST['name'])){
$form_ok=false;
echo $var3."<br />\n";
}
// if empty...
if(empty($_POST['tel'])){
$form_ok=false;
echo $var4."<br />\n";
}
// if captcha code not equal or empty
if ($captcha <> $_SESSION['chiffre']){
$form_ok=false;
if (empty($_POST['captcha'])){
echo $var5."<br />\n";;
} else {
echo $var6."<br />\n";;
}
}
// Oeps, you have forgotten to fill in a field :-(
if ($form_ok==false){
echo "<h4><a href='javascript:history.back(-1)'><font color= red> $var7</a></font></h4>\n";
}
// Ok, you have filled in all required fields :-)
// Let's make the content save before sending...
if ($form_ok==true){
// mail to:
$recipient = "[email protected]";
// mail from:
// The email header with email injection protection
$headers = $var9." " . $_POST['name'] . " <" . $_POST['mail'] . ">";
$headers = str_replace("\n", "", $headers); // remove enter
$headers = str_replace("\r", "", $headers); // remove enter
$headers = str_replace("\"", "\\\"", str_replace("\\", "\\\\", $headers)); // remove slashes from quotes
// message:
$message = $_POST['name']." ".$var8."\n\n".$var16.$_POST['name']."\n".$var15.$_POST['mail']."\n".$var17.$_POST['tel']."\n";
// remove unwanted code in message
$message = strip_tags($message);
// Now it's save to send mail to the recipient
// $var10 is the Subject
mail("$recipient","$var10","$message","$headers");
// Report on screen to visitor
echo "<h3><b> ".$var11."</h3></b><br />\n";
echo " ".$var12."<br />\n";
// maybe extra code with a link to go to the homepage of your website ?
// echo "<a href='www.blabla.com'><b><font color= red > ".$var13."<br /></a></font></b>\n";
}
?>
</body>
</html>
<?php
exit();
}
?>
<h3><?php echo $var0; ?></h3>
<form method="post" action="contactform.php">
<table width='550' border='0' cellspacing='0' cellpadding='0' style="background-color:#CBE6FF;">
<tr><td colspan='2' style="background-color:#99ccff;"><font color= red> * </font color><?php echo $var14; ?><br /><br /></td></tr>
<tr><td><b> <?php echo $var16; ?></b></td><td><input type="text" name="name" SIZE="50" MAXLENGTH="100" value='<?php echo $_POST['name']; ?>' size="25"></td></tr>
<tr><td><b> <?php echo $var15; ?></b></td><td><input type="text" name="mail" SIZE="50" MAXLENGTH="100" value='<?php echo $_POST['mail']; ?>' size="25"></td></tr>
<tr><td><b> <?php echo $var17; ?></b></td><td><input type="text" name="tel" SIZE="10" MAXLENGTH="10" value='<?php echo $_POST['tel']; ?>' size="25"></td></tr>
<!-- extra for captcha -->
<tr><td><b> <?php echo $var18; ?></b><img src="captcha.php" alt="captcha" /></td><td><input type="text" name="captcha" class="texte" size="6"></td></tr>
<!-- end extra for captcha -->
</table><br />
<input type="submit" name="submit" value="<?php echo $var19 ?>" style="background-color:#99ccff; color:black;">
<input type="reset" name="reset" value="<?php echo $var20 ?>" style="background-color:#99ccff; color:black;">
</form>
</body>
</html>