$filtered_email = filter_var($email_str, FILTER_VALIDATE_EMAIL); if ($filtered_email) { return true; } else { return false; } } $message = ''; # if change requested if (isset($_POST['contactedit'])) { $message = "Invalid Submission. Please Retry."; if (isset($_POST['contactname']) && isset($_POST['contactemail']) && isset($_POST['url'])) { $contact_name = trim(htmlspecialchars($_POST['contactname'])); $survey_url = trim(htmlspecialchars($_POST['url'])); $emailEdit = trim(htmlspecialchars($_POST['contactemail'])); if (isFiltered($emailEdit) && !isInjected($emailEdit)) { $contact_email = $emailEdit; $message = "Information Successfully Changed."; $contactInfo = array($contact_name, $contact_email, $survey_url); file_put_contents('contact.txt', implode("\n", $contactInfo)); } else { $message = "Change Unsuccessful.\nInvalid Email."; } } } # Retrieves contact information. $infoParts = file('contact.txt', FILE_IGNORE_NEW_LINES); $contact_name = $infoParts[0]; $contact_email = $infoParts[1]; $survey_url = $infoParts[2]; ?>
<?php // This function checks for email injection. Specifically, it checks for carriage returns - typically used by spammers to inject a CC list. function isInjected($str) { $injections = array('(\\n+)', '(\\r+)', '(\\t+)', '(%0A+)', '(%0D+)', '(%08+)', '(%09+)'); $inject = join('|', $injections); $inject = "/{$inject}/i"; if (preg_match($inject, $str)) { return true; } else { return false; } } // Load form field data into variables. $email_address = $_REQUEST['email_address']; $message = $_REQUEST['message']; // If the user tries to access this script directly, redirect them to feedback form, if (!isset($_REQUEST['email_address'])) { header("Location: contact.html"); } elseif (empty($email_address) || empty($message)) { header("Location: error_message.html"); } elseif (isInjected($email_address)) { header("Location: error_message.html"); } else { mail("*****@*****.**", "Invest Capital website contact form", $message, "From: {$email_address}"); header("Location: contact_sent.html"); }
touch($filename); chmod($filename, 0746); $outFile = fopen($filename, 'a'); $namelist = explode('+', $tutor[0]); $ed = $tutor[2]; $hrs = $tutor[3]; $entry = array($namelist[0] . $namelist[1] . $hrs . $ed . '.csv'); fputcsv($outFile, $entry); fclose($outFile); # Email $emailadd = $tutor[1]; $subject = "Availability Survey"; $content = "\n <html>\n <head>\n <title>Availability Survey</title>\n </head>\n <body>\n <p>\n {$namelist['0']} {$namelist['1']}, <br /><br />\n You are currently listed as a tutor for the upcoming \n semester. <br />\n Please take a few minutes and fill out this survey regarding\n your schedule and times you are available for tutoring. <br />\n You must be on the campus network to access the survey. <br />\n Also, from personal experience, the survey works best when\n completed using Google Chrome.\n </p>\n <br />\n <p>\n <a href={$survey_url}>Tutoring Survey</a>\n </p>\n <br />\n <p>\n {$contact_name}\n </p>\n </body>\n </html>\n "; $headers = "From: {$contact_name} <{$contact_email}>" . "\r\n"; $headers .= "Content-type: text/html; charset=utf-8" . "\r\n"; if (isFiltered($emailadd) && !isInjected($emailadd)) { mail($emailadd, $subject, $content, $headers); } else { $subj = "Availability Survey: Email Issue"; $alt_content = "There was an issue with {$namelist['0']} {$namelist['1']}'s\n email."; $alt_headers = "From: Scheduling System <{$contact_email}>"; mail($contact_email, $subj, $alt_content, $alt_headers); } } # Put number of tutors into text file $tutorcount = count($tutorinfo); // count of tutors in db $filename = 'counts/' . $title . 'tutorcount.txt'; touch($filename); chmod($filename, 0606); file_put_contents($filename, $tutorcount);