Below is the code I'm using for a simple contact form. It seems our code is being manipulated and someone is using the contact form for email injection. I'm relatively new to PHP and I've tried researching online but currently I'm having no joy.
Does anyone have some advice?
<?php
// get posted data into local variables
$EmailFrom = Trim(stripslashes($_POST['EmailFrom']));
$EmailTo = "email@email.com";
$Subject = "subject";
//$Title = Trim(stripslashes($_POST['Title']));
$First = Trim(stripslashes($_POST['First']));
//$Surname = Trim(stripslashes($_POST['Surname']));
//$Company = Trim(stripslashes($_POST['Company']));
//$Address = Trim(stripslashes($_POST['Address']));
//$Address2 = Trim(stripslashes($_POST['Address2']));
//$Address3 = Trim(stripslashes($_POST['Address3']));
//$Area = Trim(stripslashes($_POST['Area']));
//$County = Trim(stripslashes($_POST['County']));
//$Postcode = Trim(stripslashes($_POST['Postcode']));
$Telephone = Trim(stripslashes($_POST['Telephone']));
//$Fax = Trim(stripslashes($_POST['Fax']));
$EmailFrom = Trim(stripslashes($_POST['EmailFrom']));
$AmountOwed = Trim(stripslashes($_POST['AmountOwed']));
$ip = Trim(stripslashes($_POST['ip']));
//$Marketing = Trim(stripslashes($_POST['Marketing']));
//$Contact = Trim(stripslashes($_POST['Contact']));
$Details = Trim(stripslashes($_POST['Details']));
// validation
$validationOK=true;
if (Trim($EmailFrom)=="Your email: (required)") $validationOK=false;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
};
if (Trim($Telephone)=="Your Telephone: (required)") $validationOK=false;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
};
if (Trim($First)=="Your name: (required)") $validationOK=false;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
}
// prepare email body text
$Body = "";
//$Body .= "Title: ";
//$Body .= $Title;
//$Body .= "
";
$Body .= "First: ";
$Body .= $First;
$Body .= "
";
//$Body .= "Surname: ";
//$Body .= $Surname;
//$Body .= "
";
//$Body .= "Company: ";
//$Body .= $Company;
//$Body .= "
";
//$Body .= "Address: ";
//$Body .= $Address;
//$Body .= "
";
//$Body .= "Address2: ";
//$Body .= $Address2;
//$Body .= "
";
//$Body .= "Address3: ";
//$Body .= $Address3;
//$Body .= "
";
//$Body .= "Area: ";
//$Body .= $Area;
//$Body .= "
";
//$Body .= "County: ";
//$Body .= $County;
//$Body .= "
";
//$Body .= "Postcode: ";
//$Body .= $Postcode;
//$Body .= "
";
$Body .= "Telephone: ";
$Body .= $Telephone;
$Body .= "
";
//$Body .= "Fax: ";
//$Body .= $Fax;
//$Body .= "
";
$Body .= "EmailFrom: ";
$Body .= $EmailFrom;
$Body .= "
";
$Body .= "AmountOwed: ";
$Body .= $AmountOwed;
$Body .= "
";
$Body .= "ip: ";
$Body .= $ip;
$Body .= "
";
//$Body .= "Marketing: ";
//$Body .= $Marketing;
//$Body .= "
";
//$Body .= "Contact: ";
//$Body .= $Contact;
//$Body .= "
";
$Body .= "Details: ";
$Body .= $Details;
$Body .= "
";
// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");
// redirect to success page
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=thankyou.php\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
}
?>