Tutorial 3 - Part II -Flying into Formation - page 4

O. K., so your code works so far. There's one more thing you may need to do before the code really gets complicated.

The next thing to add to your email is a check for new lines or carriage returns or mail-header segments that might be added to your form inputs. What you would be checking for is called "injection." In your comment textarea, for example, someone might put in a comment or they might input a forwarding order or possibly a whole mail program. If your web server reads this input and interprets it as a forward or, worse still, as a mail program, you could be vulnerable. To stop this, many coders use the following traditional code:

The eregi here is a check for a regular expression. By using this code, if a newline or carriage return substring is included in your form input, you stop everything. No email is sent. Nothing is saved to a file. Instead a message appears saying "Invalid input" and showing the input. (In this case, nothing will show as input here. The carriage return or new line are special characters that, even when present, don't show on your page. Other special characters or phrases, however, will show as input as you will see in the next modification to this code.) By preventing a carriage return or newline, you are able to prevent spammers from defining multiple e-mail recipients while using your form. This works by preventing header injection. To inject new headers into your email, a newline is required for each new header. Theoretically if no new lines are allowed, no new headers can be added to your initial email code. This same 'eregi' code (shown above) would be repeated to check each input item on your form. You would copy this code changing "$comment" to "$first" then to "$last" and to "$email." Your altered comment.php wiil now look something like this code - click here to see code. And the form should now work like this example - click here to view. Now you probably want to test this code before you go any further. So you add the code, upload your page, type a first name plus "\n \r" in the first name input box and hit the submit button on your form. Then you wonder why your code doesn't work when the input shows "first name \n \r." It doesn't work because that's not the way you test for a new line or a carriage return. The "\n" and "\r" characters are code characters. They have to be read as coded characters to be interpreted as "new line" and "carriage return." In plain text, which is the default for your input box, the "\n" and "\r" are just that a "\n" and a "\r." To test if your code works, go to the comment section of your form, type in a short line, like "this is a test," then hit "enter" on your keyboard to advance to a new line and type "and nothing more." Hit your submit button. If your code works, you should end up on an almost blank screen which will say: "Invalid input: this is a test ." (In my own example, I have added a few more words.) If this doesn't happen, recheck your code. If it does happen, you may begin to wonder how someone can submit a comment that is more than one line long. To find out how that can happen, return to your form (you may have to go to another page before returning to your form), type a paragraph or several long sentences into the form's comment input box without hitting "enter" on your keyboard, and hit your submit button. The resulting page should say: "Program executed O.K." You should also notice that you had no problem entering all this information. Well, you had no problem as long as your information was 998 characters long or less. Mail programs, themselves, limit one line of input to 1000 characters (including the newline character and the carriage return). But 998 characters is usually sufficient to make most comments. If your guests need more than 998 characters to make a comment and if you want to maintain this same level of security, you will have to add a second textarea to your form (comment2) to give your guests another 998 characters to complete their comment. Either way, now your form seems complete, right?

Could be. But for many coders this code is not enough. So another code to handle uninvited spammers was developed. The following code is a modification of the original code:

This modified code stops spammers from using your form to send their spam messages. The code checks to make sure that special characters are not present in your form input. The idea is to stop any code that can trick the mail server into sending messages to other addresses. This function checks for special characters, and if these characters are found, the script will stop running. The script continues repeating the "or-eregi" statement" - "|| eregi('special character', $inputname)" - for the following special characters or phrases: "%0a","%0d", "cc:", "to:", "multipart/", "content-type:", "MIME-Version:", "Subject:", "{" plus any other special characters or phrases you feel like adding. With this added to your code, your altered "comment.php" code should look like this (click here). To some, this may be considered overkill. But I would rather be safe than sorry. And though it may be unnecessary, I have included the less than symbol (<) and the semicolon (";"). This will make it difficult for someone to fill out your form input with html or a php script or with a javascript that might call an external script (be it html or php or something else). As long as you define your "content-type" as plain text and prevent spammers from inserting their own "content-type," you shouldn't have a problem with php or javascript. Still, these scripts should not be in your input fields. You're not asking for a script, you're asking for a last name or a comment.

To better understand what you're doing, continue on the next page
- preventing "injection" - part 2 - on page 5

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.