-
Notifications
You must be signed in to change notification settings - Fork 0
/
email.php
255 lines (239 loc) · 6.91 KB
/
email.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
<?php
# Don't put anything above the previous line, not even blank space
# Copyright 2007, Thomas Boutell and Boutell.Com, Inc. You
# MAY use this code in your own projects. You MAY NOT
# represent this code as your own work. If you wish to share
# this code with others, please do so by sharing the
# following URL:
#
#
# See: http://www.boutell.com/newfaq/creating/accounts.html
#require "login.php";
require '/home/boutell/html/tools/accountable/login.php';
# OPTIONAL: use my Captcha system to prevent automated
# abuse of the contact form.
#require "captcha.php";
require '/home/boutell/html/tools/captcha/captcha.php';
# The person who receives the email messages
#$recipient = '[email protected]';
$recipient = '[email protected]';
$serverName = 'www.boutell.com';
if ($_POST['send']) {
sendMail();
} elseif (($_POST['cancel']) || ($_POST['continue'])) {
redirect();
} else {
displayForm(false);
}
function displayForm($messages)
{
# Import $login object from accountable. If we're not using
# accountable this is null, which is not a problem
global $login;
$escapedEmail = htmlspecialchars($_POST['email']);
$escapedRealName = htmlspecialchars($_POST['realname']);
$escapedSubject = htmlspecialchars($_POST['subject']);
$escapedBody = htmlspecialchars($_POST['body']);
$returnUrl = $_POST['returnurl'];
if (!strlen($returnUrl)) {
# We'll return the user to the page they came from
$returnUrl = $_SERVER['HTTP_REFERER'];
if (!strlen($returnUrl)) {
# Stubborn browser won't give us a referring
# URL, so return to the home page of our site instead
$returnUrl = '/';
}
}
$escapedReturnUrl = htmlspecialchars($returnUrl);
# Shift back into HTML mode to send the form
?>
<html>
<head>
<?php
if ($login) {
?>
<link href="/accountable/chrome/login.css" rel="stylesheet" type="text/css">
<?php
}
?>
<title>Contact Us</title>
</head>
<body>
<?php
# Display Accountable login prompt if we are
# using Accountable
if ($login) {
$login->prompt();
# Fetch email address and real name from Accountable.
if (!strlen($escapedEmail)) {
$escapedEmail = htmlspecialchars($_SESSION['email']);
}
if (!strlen($escapedRealName)) {
$escapedRealName = htmlspecialchars($_SESSION['realname']);
}
}
?>
<h1>Contact Us</h1>
<?php
# Shift back into PHP mode for a moment to display
# the error message, if there was one
if (count($messages) > 0) {
$message = implode("<br>\n", $messages);
echo("<h3>$message</h3>\n");
}
?>
<form method="POST" action="<?php echo $_SERVER['DOCUMENT_URL']?>">
<p>
<input
name="email"
size="64"
maxlength="64"
value="<?php echo $escapedEmail?>"/>
<b>Your</b> Email Address
</p>
<p>
<input
name="realname"
size="64"
maxlength="64"
value="<?php echo $escapedRealName?>"/>
Your Real Name (<i>so our reply won't get stuck in your spam folder</i>)
</p>
<p>
<input
name="subject"
size="64"
maxlength="64"
value="<?php echo $escapedSubject?>"/>
Subject Of Your Message
</p>
<p>
<i>Please enter the text of your message in the field that follows.</i>
</p>
<textarea
name="body"
rows="10"
cols="60"><?php echo $escapedBody?></textarea>
<?php
# Display the captcha if we're using my captcha.php system
# and the user is not logged in to an Accountable account
if ((!$_SESSION['id']) && (function_exists('captchaImgUrl'))) {
?>
<p>
<b>Please help us prevent fraud</b> by entering the code displayed in the
image in the text field. Alternatively,
you may click <b>Listen To This</b> to hear the code spoken aloud.
</p>
<p>
<img style="vertical-align: middle"
src="<?php echo captchaImgUrl()?>"/>
<input name="captcha" size="8"/>
<a href="<?php echo captchaWavUrl()?>">Listen To This</a>
</p>
<?php
}
?>
<p>
<input type="submit" name="send" value="Send Your Message"/>
<input type="submit" name="cancel" value="Cancel - Never Mind"/>
</p>
<input
type="hidden"
name="returnurl"
value="<?php echo $escapedReturnUrl?>"/>
</form>
</body>
</html>
<?php
}
function redirect()
{
global $serverName;
$returnUrl = $_POST['returnurl'];
# Don't get tricked into redirecting somewhere
# unpleasant. You never know. Reject the return URL
# unless it points to somewhere on our own site.
$prefix = "http://$serverName/";
if (!beginsWith($returnUrl, $prefix)) {
$returnUrl = "http://$serverName/";
}
header("Location: $returnUrl");
}
function beginsWith($s, $prefix)
{
return (substr($s, 0, strlen($prefix)) === $prefix);
}
function sendMail()
{
# Global variables must be specifically imported in PHP functions
global $recipient;
$messages = array();
$email = $_POST['email'];
# Allow only reasonable email addresses. Don't let the
# user trick us into backscattering spam to many people.
# Make sure the user remembered the @something.com part
if (!preg_match("/^[\w\+\-\.\~]+\@[\-\w\.\!]+$/", $email)) {
$messages[] = "That is not a valid email address. Perhaps you left out the @something.com part?";
}
$realName = $_POST['realname'];
if (!preg_match("/^[\w\ \+\-\'\"]+$/", $realName)) {
$messages[] = "The real name field must contain only alphabetical characters, numbers, spaces, and the + and - signs. We apologize for any inconvenience.";
}
$subject = $_POST['subject'];
# CAREFUL: don't allow hackers to sneak line breaks and additional
# headers into the message and trick us into spamming for them!
$subject = preg_replace('/\s+/', ' ', $subject);
# Make sure the subject isn't blank (apart from whitespace)
if (preg_match('/^\s*$/', $subject)) {
$messages[] = "Please specify a subject for your message.";
}
$body = $_POST['body'];
# Make sure the message has a body
if (preg_match('/^\s*$/', $body)) {
$messages[] = "Your message was blank. Did you mean to say something? Click the Cancel button if you do not wish to send a message.";
}
# Check the captcha code if the user is NOT logged in to an account
if ((!$_SESSION['id']) && function_exists('captchaImgUrl')) {
if ($_POST['captcha'] != $_SESSION['captchacode']) {
$messages[] = "You did not enter the security code, or what you entered did not match the code. Please try again.";
}
}
if (count($messages)) {
# There were errors, so re-display the form with
# the error messages and let the user correct
# the problem
displayForm($messages);
return;
}
# No errors - send the email
mail($recipient,
$subject,
$body,
"From: $realName <$email>\r\n" .
"Reply-To: $realName <$email>\r\n");
# Thank the user and invite them to continue, at which point
# we direct them to the page they came from. Don't allow
# unreasonable characters in the URL
$escapedReturnUrl = htmlspecialchars($_POST['returnurl']);
?>
<html>
<head>
<title>Thank You</title>
</head>
<body>
<h1>Thank You</h1>
<p>
Thank you for contacting us! Your message has been sent.
</p>
<form method="POST" action="<?php echo $_SERVER['DOCUMENT_URL']?>">
<input type="submit" name="continue" value="Click Here To Continue"/>
<input
type="hidden"
name="returnurl"
value="<?php echo $escapedReturnUrl?>"/>
</form>
</body>
</html>
<?php
}
?>