Form data is OK.
';
//print_r($_POST);
//echo '';
/*
safe_mail()
Fix all of the bloody exploits for MIME and whatever else, such as injection.
Strip all of the LF and CR, and then make sure there's no MIME or boundary information:
version 1.0.0 (28 Oct 2005)
*/
function safe_mail($p_to,$p_subject,$p_message,$p_headers=null,$p_paramaters=null)
{
$format_good = 1;
if (eregi("\r",$p_to) || eregi("\n",$p_to)){
$format_good = 0;
}
if (eregi("\r",$p_subject) || eregi("\n",$p_subject)){
$format_good = 0;
}
if (eregi("\r",$p_headers) || eregi("\n",$p_headers)){
$format_good = 0;
}
//now check for MIME encoding in the $message field
$mimecount = substr_count(strtolower($p_message), strtolower("Content-Type"));
if($mimecount!=0)
{
$format_good = 0;
}
$mimecount = substr_count(strtolower($p_message), strtolower("boundary="));
if($mimecount!=0)
{
$format_good = 0;
}
//afew more checks just incase we miss the to and from, etc:
$mimecount = substr_count(strtolower($p_to), strtolower("Content-Type"));
if($mimecount!=0){$format_good = 0;}
$mimecount = substr_count(strtolower($p_to), strtolower("boundary="));
if($mimecount!=0){$format_good = 0;}
$mimecount = substr_count(strtolower($p_subject), strtolower("Content-Type"));
if($mimecount!=0){$format_good = 0;}
$mimecount = substr_count(strtolower($p_subject), strtolower("boundary="));
if($mimecount!=0){$format_good = 0;}
$mimecount = substr_count(strtolower($p_message), strtolower("Content-Type"));
if($mimecount!=0){$format_good = 0;}
$mimecount = substr_count(strtolower($p_message), strtolower("boundary="));
if($mimecount!=0){$format_good = 0;}
$mimecount = substr_count(strtolower($p_headers), strtolower("Content-Type"));
if($mimecount!=0){$format_good = 0;}
$mimecount = substr_count(strtolower($p_headers), strtolower("boundary="));
if($mimecount!=0){$format_good = 0;}
//now if $format_good is 1, we are safe, if not, we log it.
if($format_good==1)
{
$result = mail($p_to,$p_subject,$p_message,$p_headers);
return($result);
}else
{
// Uncomment the code below if you want to track spambots
/*
$script_location = $_SERVER["SCRIPT_FILENAME"];
$attempt_from = $_SERVER["REMOTE_HOST"]."(".$_SERVER["REMOTE_ADDR"].")";
$data ="============================================\nsafe_mail: $attempt_from $script_location \n$p_to||$p_subject||$p_message||$p_headers||$p_paramaters||\n\n";
$fhandle = fopen("/tmp/emailinjection.log.txt", "a+");
fwrite($fhandle,$data);
fflush($fhandle);
fclose($fhandle);
*/
echo "Bad Data. Your submission included invalid information!";
return(FALSE);
}
return(FALSE);
}
$firstname = $_POST["FIRST_NAME"];
$lastname = $_POST["LAST_NAME"];
$email = $_POST["EMAIL"];
$phone = $_POST["PHONE_NUMBER"];
$comments = $_POST["comments"];
$contact_type = "Regular Contact Form";
$name = "$firstname $lastname";
$timenow = date("m-d-Y");
$browser = getenv('HTTP_USER_AGENT');
$ip = getenv('REMOTE_ADDR');
$Subject = "Contact Form";
$browser = getenv('HTTP_USER_AGENT');
$ip = getenv('REMOTE_ADDR');
// format message
$message = "
Date: $timenow
Name: $firstname $lastname
Email: $email
Phone: $phone
-----------------------------
Comments: $comments
-----------------------------
IP: $ip
Browser: $browser
** Note all email addresses have been stripped of the 'at' sign and replaced with '_at_'. This is to protect the form from being used as a spam relay. **
";
$message = str_replace("@","_at_",$message);
$message2 = "
$firstname $lastname
($areacode) $localcode-$phonenumbers
";
$hurrah = safe_mail("inputyouremailhere@yourdomainhere.com",$Subject,$message);
// If you would like to receive text messages to your cell phone when you receive a contact
// uncomment the line below and replace 1231231234 with your cell phone number
// there is a maximum of 5000 text messages you can receive for free each month before
// TeleFlip will charge you. you might be charged by your cell phone company for text messages
//$hurrah = safe_mail(1231231234@teleflip.com,$Subject,$message2);
if($hurrah != TRUE) {
echo "Internal mailer error.Message sent.
Thank you for your interest. We will be contacting you shortly.