Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Spam via contact_us.php - *solution*

bradley@kri.ch

By bradley@kri.ch
in General Support

Recommended Posts

bradley@kri.ch

bradley@kri.ch

Posted
Posted

We have recently had severe problems with spambots abusing various forms, among others the contact form in osCommerce. The latest and greatest patches did not suffice to fix the problem, so I had to add a few touches of my own. I am posting this here, in hopes that it will help others.

 

Here is the top of our contact_us.php file. The only changes are the two new functions at the top, and the block of code marked as BUG-FIX. The remainder of the file is unchanged.

 

  //--- from www.kri.ch ---

 // The following two functions are used to sanitize form input, in order
 // to eliminate spam abuse of the contact form...

 // sanitize a multi-line entry (the text-area)
 function sanitizeLines($string) {
$string = str_replace('\\', '', $string); // no sneaky backslashes
$string = preg_replace( "/(content-type|bcc|cc|to|from):/im", "$1", $string); // no embedded mail headers
return $string;
 }

 // sanitize a single-line entry (a text field)
 function sanitizeLine($string) {
$string = str_replace('\\', '', $string); // no sneaky backslashes
$string = preg_replace( "/(content-type|bcc|cc|to|from):/im", "$1", $string); // no embedded mail headers
$string = preg_replace( "/\n/", " ", $string ); // no newlines
$string = preg_replace( "/\r/", " ", $string ); // no returns
return $string;
 }

 //---

 require('includes/application_top.php');

 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US);

$_POST['email'] = sanitizeLine($_POST['email']);
$_POST['name'] = sanitizeLine($_POST['name']);
$_POST['enquiry'] = sanitizeLines($_POST['enquiry']);

/*
* BEGIN BUG-FIX (http://bugtrack.oscmax.com/view.php?id=79)
* 
* This code removed, as is proved insufficient.

$_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] );
$_POST['name'] = preg_replace( "/\n/", " ", $_POST['name'] );
$_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] );
$_POST['name'] = preg_replace( "/\r/", " ", $_POST['name'] );
$_POST['email'] = str_replace("Content-Type:","",$_POST['email']);
$_POST['name'] = str_replace("Content-Type:","",$_POST['name']);
*/

  $error = false;
  if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
 $name = tep_db_prepare_input($HTTP_POST_VARS['name']);
 $email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
 $enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

 if (tep_validate_email($email_address)) {

   tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);
   tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));
 } else {
   $error = true;
   $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
   $enquiry = "";
   $name = "";
   $email = "";
 }
  }
// END BUG-FIX

Link to comment
Share on other sites
bill110

bill110

Posted
Posted

You should clean out the removed code and put this into the contributions. It would be easier to find this fix for others later!

P.S. I have'nt had the spam problem yet but will hopefully head that bug off with this. thanks.

My Contributions

 

Stylesheet With Descriptions Glassy Grey Boxtops Our Products Meta Tags On The Fly

Password Protect Admin

"No matter where you go....There you are" - Buccaroo Bonsai

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...