Thread: Contact Form

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2

    Contact Form


    Hello,

    I am planning to add a Contact Us form to my website (contactus.php), so that people can send email to me using this form.

    My question is simple. I have a SendEmail() function that gets called on the form submit. This function is written in a .php file in the public_html/include folder. This function contains the To Email Address. If I give the To Email Address in the format: user @ mydomain . com (remove the spaces), will it be targeted by spams ? If yes then how can I specify the To Email ID ? What is the best way to prevent this ?

    The purpose of creating a Contact Us form is to avoid spams.

    Thanks.
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,054
    Rep Power
    9398
    It's not the function that matters but the form. The form is what will be spammed.

    Haven't given much detail about the form or how it works, but odds are using a CAPTCHA will go far to protect you from spam.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2
    Originally Posted by requinix
    It's not the function that matters but the form. The form is what will be spammed.
    The SendEmail() function is written by me, not a library function. All I want to know is how to give the To Email Address in a php file, so that it won't be spammed.
    Haven't given much detail about the form or how it works, but odds are using a CAPTCHA will go far to protect you from spam.
    I have given enough details. It is a typical ContactUs form, like this.
    http://www.cssheaven.org/preview/portfolio/contact/

    It calls a function in public_html/include/sendemail.php to send an email to the webmaster or my Email ID. When the Send/Submit button is clicked, the contactus.php calls the function SendEmail(), which sends the email. The SendEmail() doesn't draw any UI, just email sending. But I have given the To Email Address as

    Code:
    $email_to = "webmaster@mydomain.com";
    Will this be spammed ?
  6. #4
  7. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,054
    Rep Power
    9398
    It's not the function that matters but the form. The form is what will be spammed.

    Imagine someone filling out your contact form with spam and submitting it hundreds of times a day. That's how it works. They don't send you the email directly - or rather they can't because they don't know your address. But they do know that the form will send you emails.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2
    Originally Posted by requinix
    It's not the function that matters but the form. The form is what will be spammed.

    Imagine someone filling out your contact form with spam and submitting it hundreds of times a day. That's how it works. They don't send you the email directly - or rather they can't because they don't know your address. But they do know that the form will send you emails.
    oh, I got what you are talking about. I have that in mind.

    But I am not talking about that spamming. I am talking about another thing:

    Think about why someone doesn't give their email address in the correct format in their websites. Because the spammers will search and find it. That is the reason for me to create a ContactUs form itself. Even if I use a contact form, I suspect that the spammers will grep the entire public_html folder to find a valid Email ID. So that raises my questions in the previous post.

    Thanks for your help.
  10. #6
  11. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    Think about why someone doesn't give their email address in the correct format in their websites. Because the spammers will search and find it. That is the reason for me to create a ContactUs form itself. Even if I use a contact form, I suspect that the spammers will grep the entire public_html folder to find a valid Email ID. So that raises my questions in the previous post.
    People can't see your PHP code. As long as you're not outputting the address to the page, people can't view it.

    Also they can't grep your files unless they have shell access to the server.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2
    Originally Posted by E-Oreo
    People can't see your PHP code. As long as you're not outputting the address to the page, people can't view it.

    Also they can't grep your files unless they have shell access to the server.
    okay, Thanks for the clarification.

    So what is the technique the spammers are using to find out a valid email id displayed on a contact webpage, If they cannot grep in public_html/ ? Just curious.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,987
    Rep Power
    375
    because sometimes people put their email address plain and clean in the HTML side.. i.e.

    please email me @ email_address.co.uk
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    I wonder why this is so hard to understand.

    requinix told you twice that spammers cannot read your email address from the PHP source code. They just can't. E-Oreo confirmed this. Yet you continue to ask us how spammers could fetch the email address from your code.

    What spammers can do is use your form to send you spam (as requinix already said twice). They don't need to actually know your address if your form works just as well for sending spam. This is why most contact forms use some kind of protection like captchas, hidden fields or whatever.

    Again: Your form is in danger, not your email address (unless somebody breaks into your server).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  18. #10
  19. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    So what is the technique the spammers are using to find out a valid email id displayed on a contact webpage, If they cannot grep in public_html/ ? Just curious.
    They retrieve the contact page using an HTTP request, just like your browser would, and then they search the returned text for two things:
    1) Email addresses
    2) Links to other pages

    Then they repeat the entire process with all of the links found.

    Although I don't recommend it, if you were to put a file in /public_html and not link to it from anywhere else, chances are nobody would ever find it.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    34
    Rep Power
    2
    Originally Posted by E-Oreo
    They retrieve the contact page using an HTTP request, just like your browser would, and then they search the returned text for two things:
    1) Email addresses
    2) Links to other pages

    Then they repeat the entire process with all of the links found.

    Although I don't recommend it, if you were to put a file in /public_html and not link to it from anywhere else, chances are nobody would ever find it.
    Thanks E-Oreo for the clarification. So I understand that it is not possible for the spammer to find .php files in public_html/ that doesn't have a link from the website. So in my case, I am including the public_html/include/sendemail.php in the contactus.php using the following code, which is safe. They cannot retrieve the sendemail.php using an HTTP request and find my Email ID.

    Code:
    require_once("./include/sendemail.php");
    To others:
    I have already said, I am not talking or concerned about the Captcha stuff at the moment. So it is off-topic to me.

    Thanks for people who had send good replies that helped me to understand this stuff.

IMN logo majestic logo threadwatch logo seochat tools logo