PHP Mail Script - UGN Security Forum

UGN Security

A little mail script i wrote that tells you when you didn't fill out a field, and allows you to ban ip addresses from viewing the page. Any suggestions for optimizations, additions, or removals? Comments?

Code

<?php
# Ghost's PHP Mail Script v1.3
# The source from this script may be freely distributed so long as credit is given
$ip = $_SERVER['REMOTE_ADDR'];
$banfile = fread(fopen("banip.txt", "r"), filesize("banip.txt"));
$file = fopen("maillog.txt", "a+");
$address = $_SERVER['REMOTE_ADDR'];
$mailaddress = $_POST['address'];
$subject = $_POST['subject'];
$from = $_POST['from'];
$message = $_POST['message'];
$submitted = $_POST['submitted'];
fwrite($file, "Page View: \n $address \n\n");
if(strstr($banfile, "$ip")) {
die("Banned.");
};
if(strpos($mailaddress, "@") && strpos($from, "@") && $subject !== NULL && $message !== NULL) {
fwrite($file, "Message: \n $address \n  $mailaddress \n $date \n $message \n\n");
mail($mailaddress, $subject, $message,
"Return-Path: $from\n" .
"From: $from\n" .
"X-Sent-With: Ghost's PHP Mail Sender v1.4");
echo "Your mail has been sent";
} elseif($submitted == "1") {
if(!strpos($mailaddress, "@")) {
echo "You need to input an address for the \"Address\" field.
";
};
if($subject == NULL) {
echo "You need to input a subject for the \"Subject\" field.
";
};
if(!strpos($from, "@")) {
echo "You need to input an address for the \"Return Address\" field.
";
};
if($message == NULL) {
echo "You need to input a message to send in the \"Message\" field.
";
};
echo "
<html>
 <head>
  <title>Mail Page</title>
 </head>
 <body>
  <form action=\"mail.php\" method=\"post\">
   Address: <input type=\"text\" name=\"address\">

   Subject: <input type=\"text\" name=\"subject\">

   Return Address: <input type=\"text\" name=\"from\">

   Message: <textarea name=\"message\"></textarea>

   <input type=\"hidden\" name=\"submitted\" value=\"1\">
   <input type=\"submit\">
  </form>
 </body>
</html>
";
} else {
echo "
<html>
 <head>
  <title>Mail Page</title>
 </head>
 <body>
  <form action=\"mail.php\" method=\"post\">
   Address: <input type=\"text\" name=\"address\">

   Subject: <input type=\"text\" name=\"subject\">

   Return Address: <input type=\"text\" name=\"from\">

   Message: <textarea name=\"message\"></textarea>

   <input type=\"hidden\" name=\"submitted\" value=\"1\">
   <input type=\"submit\">
  </form>
 </body>
</html>
"; };
?>

Wow ghost, why don't you show off a little BIT!?!!???

Ask me when I'm sober, I have a few pointers :hicup: should be tomorrow or somethig

Haha, all right gizmo, i'll bug you on irc.

How I'd handle listing my calls in a script:

Code

<?php
if($_SERVER["HTTPS"] == "on") {
  $type = "https";
}else{
  $type = "http";
}
$host = $_SERVER["HTTP_HOST"];
$url = "$type://$host/";
$me = $_SERVER["SCRIPT_URL"];
?>

<a href="<?php echo($ssl); ?>://<?php echo($host); ?><?php echo($me); ?>?function=call">link to script</a>

That way it'll auto update the script name and if it's being accessed through https or not; however as it's a mail script you don't really NEED ssl support so that'd knock us down to:

Code

<?php
$host = $_SERVER["HTTP_HOST"];
$me = $_SERVER["SCRIPT_URL"];
?>

<a href="http://<?php echo($host); ?><?php echo($me); ?>?function=call">link to script</a>

Or even:

Code

<?php
$script = $_SERVER["SCRIPT_URI"]
?>

<a href="<?php echo($script); ?>?function=call">link to script</a>

However I woudln't reccommend using the final one for subdomains; for some reason "script_uri" doesn't like subdomains in some enviroments (oen of the manyt hings i had to fix in the fserv)