I have the code below in the submitted form section of a php file. It is meant to catch any emails that contain a url and reject them.
if (preg_match("/(\b(((https?|ftp|file|):\/\/)|www[.])[-A-Z0-9+&##\/%?=~_|!:,.;]*[-A-Z0-9+&##\/%=~_|])/i", $msg)) {
return false;
}
return true;
But I received an email with dozens of lines like this:
[url=http://example.рф]шкафы купе[/url]
I tried sending a message with one of the lines in the original email and the code blocked it. Why didn't it stop this spammer?
Based on the replies, which I deeply appreciate, I changed the code to the following. All I really want is to block url's. It doesn't matter what the path and parameters are so I think this catches all possibilities. This is used instead of php filters because the filters page says it can't catch URN's.
if (preg_match("/(\b(((https?|ftp|file|[-A-Z0-9]|):\/\/)|www[.]))/i", $msg)) {
Related
i'm making a website that has a form which gets validated in php.
When people post the form the email gets sent to a $email variable and i check for the correct format. However i've yet to find a piece of code that checks if the format is correct (if its valid doesnt matter right now), i've found phps own function but it doesnt check for swedish letters, i've also found another function that checks the mail format but that breaks if you have an email with format xxx.yy#zz.aa. it only works if the format is xxx#zz.aa.
I would very much appreciate any help to make this work and to find a function that works.
You can use this regexp:
if(preg_match("/^\b[A-ZÅÄÖåäö0-9._%+-]+#[A-ZÅÄÖåäö0-9.-]+\.[A-Z]{2,4}\b$/i",$email)){
//mail is valid
}
This will validate youråäö#adressö.se etc.
Single thing that you can check in email address is it contains #. Check for that without any code found anywhere
i personally suggest you to validate forms in client side (i.e) using javascript or jquery
if all form validations are carried to the server the server load gets increased that too there is re- submission for invalid entries.
jquery code for email validation :
function ValidateEmail(email) {
var expr = /^([\w-\.]+)#((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$/;
return expr.test(email);
};
$("#id").blur(function(){
if(!ValidateEmail($("#id").val())){
//your code
}
else {
//your code
}
})
I have got a wordpress instance with the plugin contact-form-7. In some tutorials, I saw that I can do something before sending the mail with this code:
add_action("wpcf7_before_send_mail", "wpcf7_do_something_else");
function wpcf7_do_something_else(&$wpcf7_data) {
// Here is the variable where the data are stored!
var_dump($wpcf7_data);
// If you want to skip mailing the data, you can do it...
$wpcf7_data->skip_mail = true;
}
I got the code from here http://code.tutsplus.com/tutorials/mini-guide-to-contact-form-7--wp-25086
But somehow, it is not working. I don't receive any error - the contact form is not sending the mail anymore, even without the $wpcf7_data->skip_mail = true, and it doesn't print anything.
My questions:
Where do I have to write this code? Directly into the plugin? (At the moment, I wrote this code into a custom plugin, maybe wrong?)
Is it even possible to print any data from the form in there? (Is the tutorial bad?)
Thanks!
Well, it is normal that the contact form does not send email anymore, as it is defined on this line $wpcf7_data->skip_mail = true;.
This code is used if you want something else than the default posting (sending in email), as described in the tutorial.
This code, however, should be placed in your theme's functions.php file (if file exists, create it). But still, the email will not be send.
If you want to skip emails and perform other action, then leave this piece of code
$wpcf7_data->skip_mail = true;
and add your logic after this line.
Describe more precisely what do you want to do (instead of sending email) in your question.
I'm using modMail class to send custom emails. I have followed the guidelines on MODX site and used the following code which I placed in a snippet:
$message = $modx->getChunk('myEmailTemplate');
$modx->getService('mail', 'mail.modPHPMailer');
$modx->mail->set(modMail::MAIL_BODY,$message);
$modx->mail->set(modMail::MAIL_FROM,'me#example.org');
$modx->mail->set(modMail::MAIL_FROM_NAME,'Johnny Tester');
$modx->mail->set(modMail::MAIL_SUBJECT,'Check out my new email template!');
$modx->mail->address('to','user#example.com');
$modx->mail->address('reply-to','me#xexample.org');
$modx->mail->setHTML(true);
if (!$modx->mail->send()) {
$modx->log(modX::LOG_LEVEL_ERROR,'An error occurred while trying to send the email: '.$modx->mail->mailer->ErrorInfo);
}
$modx->mail->reset();
The snippet has been modified to contain message from custom chunk as well as email addresses have been replaced with the correct ones. The snippet sent email once and never again. I have no idea what causes such behavior which prevents it from sending emails.
I have read that using the reset function $modx->mail->reset(); resets email fields and allows the email to be sent again yet I have a feeling that it causes problem here.
The snippet is called uncached on the page [[!email]]
Does anyone have an idea why the emails are not being sent, even though it worked once?
if there is an error in your chunk or in processing your chunk, modx is never going to get to thepoint where it logs an error. try something like:
if (!$modx->mail->send()) {
$modx->log(modX::LOG_LEVEL_ERROR,'An error occurred while trying to send the email: '.$modx->mail->mailer->ErrorInfo);
}else{
$modx->log(modX::LOG_LEVEL_ERROR,'This mail was sent: '.$message);
}
to see if it logs something. but otherwise what you have there is exactly correct - try to take the $message variable out and send just a string. if it sent mail once, then something else must be wrong. I'd start looking at mail server logs, headers, spam [gmail??] etc.
I would like to filter emails sent. Emails are sent with the PHP mail() function. I would like, without modifying any PHP file if possible, to let emails out only emails that are to a specific domain, and not others. I don't have access to the SMTP server.
Just in case this helps someone ... If the emails are sent after a form is submitted (or similar action), you could change the action attribute of the form html element to point to a new php file that acts as a filter. Once passed (if so) you redirect to the "proper" destination to send the emails. The filtering could be something as easy as:
$good = "*#mydomain.foo, *#localhost";
$good = explode(',', $good);
if (pattern_grep($_POST['email'], $good)) {
// action
}
You should be able to look at the associative array for the "to" field and use the php regex class to match domains that you blacklist.
Folks,
I have an html form which sends the form data as an email. Unfortunately spam bots have been filling the form in and send web site links and email addresses in the message part of the form.
Is there a way I can delete the web site links and email addresses when the "Submit" button is pressed before it gets sent on as an email address? I use PHP to do the actually sending of the form data as an email message.
Thanks and regards,
Tony
Have you tried having a hidden form via css (display: none) but in HTML like a regular form, and call it email or something common, and if that form has data, then it must be a bot.
How about using regular expressions to replace anything that matches a web link or email address to an empty string.
You can find tones of regular expression examples on the web, just google it
You can do that with Javascript. The problem is that Javascript needs to be enabled for that to happen so you can imagine the odds that the spambots will be cooperative when it comes to this.
You're going to have to filter it out on the server. Personally I would simply reject outright any message containing links or email addresses. Spit back an error to the user but don't even save it.
For some tips on detecting spam in PHP read Spam-free accessible forms.
You may also want to consider the use of CAPTCHA.
Well, if your really want to fight spam, go for these steps:
Put a CAPTCHA in the form so that non-humans cannot even submit the form. A very popular CAPTCHA implementation is reCAPTCHA.
Do a strip_tags on the fields so that even if someone puts URLs by hand, it will be removed.
Do a regular expression check for email addresses and remove them as well. Pick a good regex expression from the web which will pick most email formats.
Hope this help. Cheers!
Presumably, you don't want to accept any kind of HTML, just plain text? In this case strip_tags is your friend. strip_tags also allows you to specify some tags that are acceptable.
I also heartily recommend incorporating a header-injection defence script.
Folks,
I tried using strip_tags which certainly removes tags but doesn't remove "mailto:" nor "http://" text, so the links are still links.
Is there an easy PHP command or routine that can scan a string and just replace "mailto:" and/or "http://" with a harmless empty string "" in those portions of the string?
Tried googling too but most of the stuff I found was about trimming white space etc.
Sorry about this, I'm kinda new to PHP.
Thanks and Regards,
Tony
This is very simplistic, but you could build on it I'm sure ...
Try adding a picture of a cat or dog, then asking them to enter the three letter name of the animal shown ... or something similar. Do a validation check, then go from there ... cheap and easy Captcha. This way only human input is going out .. .
You would have to iterate over every field in the $_POST array (at least the ones you don't want to have emails or links in) and check it against a couple of regexes.
The suggestion to use CAPTCHA is also a good one.
Anyway, here's a crappy implementation of the checking:
class ValidationHelper
{
// Regex taken from https://github.com/google-code-export/prado3/blob/master/framework/Web/UI/WebControls/TEmailAddressValidator.php
const EMAIL_REGEX = "#\\w+([-+.]\\w+)*#\\w+([-.]\\w+)*\\.\\w+([-.]\\w+)*#";
// hacked up regex that I just cooked up - could be hugely improved i'm sure.
const LINK_REGEX = "#(h\s*t\s*t\s*p\s*s?|f\s*t\s*p)\s*:\s*/\s*/#";
public static function containsEmail($value)
{
if (preg_match(self::EMAIL_REGEX, $value))
return true;
return false;
}
public static function containsLink($value)
{
if (preg_match(self::LINK_REGEX, $value))
return true;
return false;
}
}
$errors = array();
foreach ($_POST as $key=>$value) {
// presumably you want at least one email field, yeah?
if ($key != 'email') {
// perhaps you should be running strip_tags over everything if you don't want html and such...
// see http://php.net/strip_tags for more info. without it (or something similar), there's nothing
// to stop people from putting <script type="text/javascript" src="http://notyourdomain.com/~1337skriptkiddy/haxxors.js"></script>
// into your form. even if you might not necessarily ever be displaying this in a scenario
// where it can cause trouble, it's never a bad idea to stop this stuff *before* it gets into your db
$_POST[$key] = $value = strip_tags($value);
if (ValidationHelper::containsEmail($value) || ValidationHelper::containsLink($value))
$errors[] = 'Please ensure the value you entered for '.$fieldNames[$key].' does not contain any links or email addresses';
}
}
if (!empty($errors)) {
// failed - show errors.
}
else {
// success!
}