> I'm trying to make sure my email form cannot be used for spam or > injecting additional code and addresses in any way. > > // CHECK FOR SPAM ATTEMPTS AND REMOVE THEM > > <snip>
I had a similar problem with my contact form and went down a similar path of trying to clean up the user-input with regexes. They caught some of the spammers but they kept trying and were eventually able to get around them. I posted this to the php-general list as well and two users suggested I try the following: - add a numeric limit to your email field to prevent spammers from dumping huge blocks of email addresses: if (strlen($email)>255) echo "Scram!"; - after you have tried to filter/clean the e-mail address, test it again with a function that determines if the input is a valid email address. I used this validation function to check email addresses, from an article on "Validating Emails with PHP" on Developer.com: http://www.developer.com/lang/php/article.php/10941_3290141_1 function validate_email($email) { // Create the syntactical validation regular expression $regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"; // Presume that the email is invalid $valid = 0; // Validate the syntax if (eregi($regexp, $email)) { list($username,$domaintld) = split("@",$email); // Validate the domain if (getmxrr($domaintld,$mxrecords)) $valid = 1; } else { $valid = 0; } return $valid; } $email = "[EMAIL PROTECTED]"; if (validate_email($email)) echo "Email is valid!"; else echo "Email is invalid!"; I implemented these two steps to a function that was similar to yours and haven't had a breach since. Best of luck, - schnippy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
