PHP help (urgent)

[sponna]

Grateful if anyone can help - vee here (I forgot my own login)

We have transferred a dental site over to our hosting. Its a php site but the company that developped it assured us it would be a direct transfer and they sent us all the files etc.

when we changed the nameservers to our hosting I am seeing message

Intercept #4 - Bye Bye SpammerForbidden - You are not authorized to view this page

Which seems to be generated by the contact form script

the site can be seen here

http://www.hallgrenclinic.com/

The code in contactForm.class.php that seems to generate this is here

Code:

<?php 
abstract class contactForm{

protected $error = '';
protected $success = '';

protected $isPosted = false;
protected $adminEmail = "";

protected $spamblocked = false;
protected $spammessage = NULL;

protected static $spamReportEmail = "snip";
protected static $sitename = "hallgrenclinic";

protected static $additionalEmailTo = "snip";

public function __construct(){



}

public function setEmailTo($email){
$this->adminEmail = $email;
}

public function sendEmail($subject,$content){


$headers = 'Content-Type: text/plain; charset="iso-8859-1"' ."\r\n";
$headers .= 'Content-Transfer-Encoding: 7bit ' ."\r\n";
$headers .= 'From: '.$this->adminEmail.'';

if(!mail($this->adminEmail, $subject,$content,$headers)){
$this->appendError('<p>Error Sending Message</p>');
}else{
$this->appendSuccess('<p>Message Sent</p>');

}

if(!mail(contactForm::$additionalEmailTo, "Toucan CC: Hallgren Quick Contact Submission",$content,$headers)){
$this->appendError('<p>Error Sending Message</p>');
}
}

public function setPosted($bool){
$this->isPosted = $bool;
}
public function isPosted(){
return $this->isPosted;
}

public function getPostVars(){}

public function processSubmit(){}


public function getError(){
return $this->error;
}

public function getSuccess(){
return $this->success;
}

public function appendError($error){

if(isset($error) && $error != ""){

$this->error .= $error;

}

}




public static function fullSpamBlock($authHosts = array()){

contactForm::checkUserAgent();
contactForm::checkFormPosted();
contactForm::checkAuthorisedHosts($authHosts);
contactForm::checkBadStrings($authHosts);
}


public static function checkFormPosted(){

// Make sure the form was indeed POST'ed:
//  (requires your html form to use: action="post") 

if(isset($REQUEST_METHOD) && $REQUEST_METHOD == "POST"){
echo ("Intercept #1 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #1 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;    
}

}

public static function checkUserAgent(){
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:    
global $HTTP_USER_AGENT;

if(!isset($HTTP_USER_AGENT)){
echo ("Intercept #4 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #4 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;
}
}

public static function checkAuthorisedHosts($authHosts = array()){

global $HTTP_USER_AGENT, $HTTP_REFERER;
// Where have we been posted from?

if(isset($HTTP_POST_VARS)){
$fromArray = parse_url(strtolower($HTTP_REFERER));

// Test to see if the $fromArray used www to get here.
$wwwUsed = false;
if(isset($fromArray['host'])){
$wwwUsed = strpos($fromArray['host'], "www.");
}
//echo ("From:".$wwwUsed."<br>");
// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){    
//   logBadRequest();
//   header("HTTP/1.0 403 Forbidden");
echo ("Intercept #2 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #2 activated");
die("Forbidden - You are not authorized to view this page");
   exit;    
}
}
}

public static function checkBadStrings(){


if(isset($HTTP_POST_VARS)){
$badStrings = array("Content-Type:",
 "MIME-Version:",
 "Content-Transfer-Encoding:",
 "bcc:",
 "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
//foreach($_POST as $k => $v){
foreach($HTTP_POST_VARS as $k => $v){

   foreach($badStrings as $v2){

   if(strpos($v, $v2) !== false){
   
   echo ("Intercept #3 - Bye Bye Spammer");
   mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #3 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;
   
   }
   }
} 
}

}

public function appendSuccess( $success){

if(isset($success) && $success != ""){

$this->success .= $success;

}

}

public function isError(){
if($this->error == ''){
return false;
}else{
return true;
}
}

public function isSuccess(){
if($this->success == ''){
return false;
}else{
return true;
}
}

public function isErrorOrSuccess(){

if($this->isSuccess() || $this->isError()){
return true;
}else{
return false;
}

}

/**
This gets a completely unstyled version of the form that can be embedded or used for reference
When creating a styled form;
**/

public function getForm(){
return '<p>The getForm() function needs to be overridden</p>';
}



}
?>

Sorry its so long. The company that developped the site are now not really helping at all  - they said this

"Just follow the send routine and you’ll see the essential Spammer blocking routines.
This is rudimentary PHP programming so I’m sure your development team will update this to the new server environment."

Unfortunately I have absolutely no idea what to do next (and David is skiing in Austria)

If anyone could point me in the right diection I would be really really grateful

Many thanks

vee

[Jem]

It's this bit:

Code:

public static function checkUserAgent(){
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:   
global $HTTP_USER_AGENT;

if(!isset($HTTP_USER_AGENT)){
echo ("Intercept #4 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #4 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;
}
}

Reliant on register_globals being on, which is v. bad practice...

Try changing it to:

Code:

public static function checkUserAgent(){
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:   
if(!isset($_SERVER['HTTP_USER_AGENT'])){
echo ("Intercept #4 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #4 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;
}
}

[sponna]

Hi

Just a quick update

If you look at the site now you wont see the error- I have just removed the contact form as this was the quickest way to get the site back running

[sponna]

Hi Jem

Thanks for that I will give it a try

Vee

[sponna]

Thanks Jem that fixed it.

I am so grateful for your help. The company that transferred the site to us just came back and said they would only help further if we hired them to do so!

The site is now displaying fine  and I just need to test its working

Thnaks again 

[Jem]

Based on that code? wouldn't hire them even if I was desperate.

Tidied it up further, removed more stuff reliant on register_globals that would have prevented it from working:

Code:

<?php 
abstract class contactForm{

protected $error = '';
protected $success = '';

protected $isPosted = false;
protected $adminEmail = "";

protected $spamblocked = false;
protected $spammessage = NULL;

protected static $spamReportEmail = "notm@simonthomas.org.uk";
protected static $sitename = "hallgrenclinic";

protected static $additionalEmailTo = "simon@toucanweb.co.uk";

public function __construct(){



}

public function setEmailTo($email){
$this->adminEmail = $email;
}

public function sendEmail($subject,$content){


$headers = 'Content-Type: text/plain; charset="iso-8859-1"' ."\r\n";
$headers .= 'Content-Transfer-Encoding: 7bit ' ."\r\n";
$headers .= 'From: '.$this->adminEmail.'';

if(!mail($this->adminEmail, $subject,$content,$headers)){
$this->appendError('<p>Error Sending Message</p>');
}else{
$this->appendSuccess('<p>Message Sent</p>');

}

if(!mail(contactForm::$additionalEmailTo, "Toucan CC: Hallgren Quick Contact Submission",$content,$headers)){
$this->appendError('<p>Error Sending Message</p>');
}
}

public function setPosted($bool){
$this->isPosted = $bool;
}
public function isPosted(){
return $this->isPosted;
}

public function getPostVars(){}

public function processSubmit(){}


public function getError(){
return $this->error;
}

public function getSuccess(){
return $this->success;
}

public function appendError($error){

if(isset($error) && $error != ""){

$this->error .= $error;

}

}




public static function fullSpamBlock($authHosts = array()){

contactForm::checkUserAgent();
contactForm::checkFormPosted();
contactForm::checkAuthorisedHosts($authHosts);
contactForm::checkBadStrings($authHosts);
}


public static function checkFormPosted(){

// Make sure the form was indeed POST'ed:
//  (requires your html form to use: action="post") 

if(isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] == "POST"){
echo ("Intercept #1 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #1 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;    
}

}

public static function checkUserAgent(){
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:    

if(!isset($_SERVER['HTTP_USER_AGENT'])){
echo ("Intercept #4 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #4 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;
}
}

public static function checkAuthorisedHosts($authHosts = array()){


if(isset($_POST)){
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));

// Test to see if the $fromArray used www to get here.
$wwwUsed = false;
if(isset($fromArray['host'])){
$wwwUsed = strpos($fromArray['host'], "www.");
}
//echo ("From:".$wwwUsed."<br>");
// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){    
//   logBadRequest();
//   header("HTTP/1.0 403 Forbidden");
echo ("Intercept #2 - Bye Bye Spammer");
mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #2 activated");
die("Forbidden - You are not authorized to view this page");
   exit;    
}
}
}

public static function checkBadStrings(){


if(isset($_POST)){
$badStrings = array("Content-Type:",
 "MIME-Version:",
 "Content-Transfer-Encoding:",
 "bcc:",
 "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){

   foreach($badStrings as $v2){

   if(strpos($v, $v2) !== false){
   
   echo ("Intercept #3 - Bye Bye Spammer");
   mail(contactForm::$spamReportEmail,contactForm::$sitename, "Intercept #3 activated");
   die("Forbidden - You are not authorized to view this page");
   exit;
   
   }
   }
} 
}

}

public function appendSuccess( $success){

if(isset($success) && $success != ""){

$this->success .= $success;

}

}

public function isError(){
if($this->error == ''){
return false;
}else{
return true;
}
}

public function isSuccess(){
if($this->success == ''){
return false;
}else{
return true;
}
}

public function isErrorOrSuccess(){

if($this->isSuccess() || $this->isError()){
return true;
}else{
return false;
}

}

/**
This gets a completely unstyled version of the form that can be embedded or used for reference
When creating a styled form;
**/

public function getForm(){
return '<p>The getForm() function needs to be overridden</p>';
}

}

You could do worse than replace that altogether though - some shockingly bad code dressed up in a class in an attempt to make it look modern/up to date no doubt.

[sponna]

Hi Jem,

Thanks for that, I think we will look at replacing this whole contact script

They have not impressed me at all - they set up what should have been a simple dental site in an extremely complex way

I really do apreciate your help

Vee

[suedenem]

Do you want any messages going through to those email addresses?  You might want to look into changing that.

[sponna]

Thanks I have changed that  - should have deleted those before posting it but was so desperate to get the site back online for the client that I missed it

We will definitely need to replace this code as soon as possible

When I put the rest of the cleaned up code from Jem in place the server was mailing me error reports about every two minutes so I swapped back to just the first fix as at least this gives me the site online

We should be able to start getting things put right for her now

Thanks for all the help I really am very grateful

[Jem]

^ hence my comment about replacing it - seems a bit counter-productive to email spam reports when spam email is exactly what they were trying to prevent in the first place!

I can remove those bits for you if you want, at least then you have a working contact form..

[vee]

Thanks Jem (I rememebered my own login:)

After talking to the client she does not even want the functionailty and would ratehr people just telephoned or email rather than sending call back requests so I will be taking it off. If she did decide she wanted some sort of quick contact form I would set a new one for her using our usual scripts

I really do appreciate your help. It is a tricky situation when you commit to take something over and then it is not what it first seems.

Thanks again

[Jem]

No probs, glad you're all sorted

[sponna]

Jem - Dave here, just back from skiing (feeling guilty!) I followed the conversations on Blackberry and I'd just like to add my thanks as well. Really appreciate you helping out. Please send us your paypal mail and we'll bung you the price of a decent meal over as a thank you. Also lessons learned here - I should have audited the site before accepting the transfer and not just relied on the original providers promises. They were appalling and extremely unhelpful even though they promised the client (and us) full support for the transfer.

All good now altho we will need to update the site at some point as its all round shoddy.

Dave

[Jem]

Don't be daft just glad to help!

[sponna]

Thanks again