0) { //show errors $error_html = write_errors($error_messages); $_POST = clean_html($_POST); require_once(TPL_FILE); } else { //redirect to confirmation page @header('Location: ' . FORM_ACTION . '?action=sent'); } } elseif($_GET['action'] == 'sent') { //show confirmation $confirmation_html = get_confirmation_html(); require_once(TPL_FILE); } else { //show default form require_once(TPL_FILE); } #####################################FUNCTIONS####################################### /*------------------------- form validation -------------------------*/ function validate_form($_POST) { //array of errors $error_messages = array(); //get the list of possible email injection chars $prohibited_comments = get_prohibited_comment_chars(); //email injection lists for comment field $prohibited_email = get_prohibited_email_chars(); //email injection lists for email field //clean incoming vars for validation (only the required fields) $blanks['Nom'] = trim($_POST['name']); $blanks['Sujet'] = trim($_POST['subject']); $email = trim($_POST['email']); $comments = trim($_POST['comments']); $captchaPhrase = $_POST['verification']; //Validate: Blanks (simple validation) foreach ($blanks as $key => $value) if(!$value) $error_messages[$key] = 'est vide ou inadmissible'; //Validate: Email $email_regex = '^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$'; if(!eregi($email_regex, $email)) { $error_messages['Courriel'] = 'Veuillez écrire un courriel valide'; } else { //check for possible email injections foreach($prohibited_email as $dangerous) { if(eregi($dangerous, strtolower($email))){ $error_messages['Courriel'] = 'Veuillez écrire un courriel valide'; break; } } } //Validate: Comments if(!$comments) { $error_messages['Commentaires'] = 'est vide ou inadmissible'; } else { //convert to lowercase for validation $comments_lc = strtolower($comments); //check for possible email injections foreach($prohibited_comments as $dangerous) { if(eregi($dangerous, $comments_lc)) { $error_messages['Comments'] = 'Votre réponse contient le texte qui est potentiellement nocif à ce serveur. Votre réponse n\'a pas été envoyée ! Essayez svp de reformuler votre réponse. Nous faisons des excuses pour n\'importe quel dérangement.'; break; } } } //Validate Captcha if (md5(md5($captchaPhrase) . 'a39nx') != $_COOKIE['cffrVerification']) $error_messages['Verification de Spam'] = 'Code inadmissible de vérification.'; return $error_messages; } /*------------------------- email send function -------------------------*/ function send_email($VARS) { //init $error_messages = array(); //array of any errors //Subject of the email $subject = SITE_NAME . " French Contact Form"; //Constructing Body of the email $body = SITE_NAME . " French Contact Form:\r\n"; $body .= "Name: ". clean_emailvar($VARS['name']) ."\r\n"; $body .= "Email: ". clean_emailvar($VARS['email']) ."\r\n"; $body .= "Telephone: ". clean_emailvar($VARS['phone']) ."\r\n"; $body .= "Fax: ". clean_emailvar($VARS['fax']) ."\r\n"; $body .= "Subject: " . clean_emailvar($VARS['subject']) ."\r\n"; $body .= "Comments: ". clean_emailvar($VARS['comments']) ."\r\n"; $body .= "IP Address: ". $_SERVER['REMOTE_ADDR'] ."\r\n"; $body = trim(stripslashes($body)); //Additional headers for the email $headers .= 'From: ' . SITE_NAME . ' Contact Form <' . FROM_EMAIL . ">\r\n"; $headers .= 'Return-Path: <' . FROM_EMAIL . ">\r\n"; //Mail the email if(!@mail(TO_EMAIL, $subject, $body, $headers) ) { $error_messages['Erreur systeme'] = 'nous ne pouvons pas fournir votre information à l\'heure actuelle. Essayez svp encore plus tard. Nous faisons des excuses pour l\'inconvience.'; } //clear headers $headers=null; return $error_messages; } /*------------------------- confirmation html output msg -------------------------*/ function get_confirmation_html() { //init $confirmation_html = null; $confirmation_html = <<

L‘information soumise avec succès

Votre information a pour être envoyée. Merci!

EOT; return $confirmation_html; } /*------------------------- error html output msg -------------------------*/ function write_errors($error_messages) { //init $error_html = null; $error_html = <<

Erreur

EOT; foreach($error_messages as $key => $value){ $error_html .= '

' . $key . ': ' . $value . '

'; } $error_html .= <<

EOT; return $error_html; } /*------------------------- text cleaners (for safe input/output) -------------------------*/ function get_prohibited_email_chars() { //check for email injection $prohibited = array //contains phrases that should be filtered - case insensitive ( "\r" ,"\n" ,"0x0A" ,"%0A" ,"0x0D" ,"%0D" ,"%0A%0D" ); return $prohibited; } function get_prohibited_comment_chars() { //Validate the comments for possible email injection $prohibited = array //contains phrases that should be filtered - case insensitive ( "bcc:" //the biggies first ,"cc:" ,"reply-to" ,"mime-version" //some other common ones ,"multipart/mixed" ,"multipart/alternative" ,"multipart/related" ,"boundary=" ,"charset" ,"content-disposition" ,"content-type" ,"content-transfer-encoding" ,"errors-to" // more arcane but still dangerous and shouldn't be there ,"apparently-to" ,"in-reply-to" ,"message-id" ,"x-mailer" ,"x-sender" ,"x-uidl" ); return $prohibited; } function clean_emailvar($var) { $var = trim($var); $prohibited = get_prohibited_email_chars(); foreach($prohibited as $dangerous) { $var = eregi_replace($dangerous, '', strtolower($var)); } return $var; } function clean_html($_POST) { //cleans the vars of any possible html elements that could destroy layouts foreach($_POST as $key => $value) $_POST[$key] = clean_inputs($value); return $_POST; } function clean_inputs($var){ $var = htmlspecialchars(stripslashes($var)); return $var; } ?>