Hi,

i was looking around for a php 'form mail' example that would allow punters to subscribe to my ezmlm mailinglists. i found a few pointers around the place and created this very basic form from those. note:punters will still have to respond to a confirmation message however, this safety measure can be turned off in ezmlm itself for instantanious subscription although this could easily be abused.


<?php
$from = $_POST['sAddr'];
if($_POST['action'] == 'join') {
$to='mailinglist-subscribe-'.str_replace('@','=',$from).'@domain.com';
$body = 'subscribe';
if($from != "" && $to != "") {
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: " . $from . "\n";
mail($to, $subject, $body, $headers);
print 'you will receive instructions via email on how to <b>subscribe</b> shortly.';
}
} elseif($_POST['action'] == 'leave') {
$to='mailinglist-unsubscribe-'.str_replace('@','=',$from).'@domain.com';
$body = 'unsubscribe';
if($from != "" && $to != "") {
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: " . $from . "\n";
mail($to, $subject, $body, $headers);
print 'you will receive instructions via email on how to <b>unsubscribe</b> shortly.';
}
} else {

}


?>
<form name="subscribe" method="post" action="<? echo $PHP_SELF; ?>">
subscribe:<input type="radio" name="action" value="join" checked>
unsubscribe:<input name="action" type="radio" value="leave">
email:<input name="sAddr" type="text" size="35" value=""/>
<input type="submit" value="Send Request"/>

With QMail, the spambots are relentless with these open php webforms. The following is the same form with a needle/haystack function call security update. This prevents the bots from injecting "to:" "bcc:" and "cc:" fields to the post. If unsecured in the original manner, this form will eventually get cracked.

Here's the update:

<?php

// anti-spammer section to prevent QMail mailserver relay hijacking utilizing needle/haystack function calls

$redirecturl ="http://localhost" ;

function str_contains($haystack, $needle, $ignoreCase = true) {
if ($ignoreCase) {
$haystack = strtolower($haystack);
$needle = strtolower($needle);
}
$needlePos = strpos($haystack, $needle);
return ($needlePos === false ? false : ($needlePos+1));
}

$from = $_POST['sAddr'];

if (str_contains($from, 'to:')) {
header( "Location: $redirecturl" );
exit ;

}

if (str_contains($from, 'cc:')) {
header( "Location: $redirecturl" );
exit ;

}

if (str_contains($from, 'bcc:')) {
header( "Location: $redirecturl" );
exit ;

}

// EZMLM subscribe/unsubscribe section

if($_POST['action'] == 'join') {
$to='listname-subscribe-'.str_replace('@','=',$from).'@domainname.com';
$body = 'subscribe';
if($from != "" && $to != "") {
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: " . $from . "\n";
mail($to, $subject, $body, $headers);
print 'Check your e-mail inbox now! You should have received instructions via email on how to finish <b>subscribing</b>.';
}
} elseif($_POST['action'] == 'leave') {
$to='listname-unsubscribe-'.str_replace('@','=',$from).'@domainname.com';
$body = 'unsubscribe';
if($from != "" && $to != "") {
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: " . $from . "\n";
mail($to, $subject, $body, $headers);
print 'Check your e-mail inbox now! You should have received instructions via email on how to finish <b>unsubscribing</b>.';
}
} else {

}


?>
<form name="subscribe" method="post" action="<? echo $PHP_SELF; ?>">
subscribe:<input type="radio" name="action" value="join" checked>
unsubscribe:<input name="action" type="radio" value="leave">
email:<input name="sAddr" type="text" size="35" value=""/>
<input type="submit" value="Send Request"/>