Is this safe from spam?

I have a form that I use for people to contact me through my website. Can someone look at it to see if it is safe from being used for spam? I really don’t want to be the cause of dreamhost being nailed for spam…

The contents of contact.php is what would determine if it’s safe or not. I’d actually advise against posting the source of it for inspection as long as it’s on your site and can be exploited… just incase.

If it checks for (and blocks) code-injection attempts, makes sure that mail can’t go to anyone but you, etc… it shouldn’t be a problem.

If you’re not sure, I’d probably recommend using DH’s pre-installed script, since it’s just a simple contact form. They probably won’t yell at you if their own script turns around and bites them. :wink:

You can check out their form-to-mail script at

:stuck_out_tongue: Save $96 at Dreamhost with the 96DOLLARSOFF promo code.

The php file has my email in the code but it doesn’t do any checking beyond making sure the email field is filled.

If there’s no code in there to check what’s passed onto it, I’d definitely advise against using it.

Otherwise, people can do neat stuff like enter their Viagra ad in your comments section, then inject a Bcc: header to send it to their spam list.

For a simple form like that, you really don’t need anything more than what DH offers in theirs. Plus, they will stay on top of it. Even if your script had a security hole in it, and you fixed it today, it wouldn’t mean that someone else wouldn’t find a way to cause damage another way later in the week.

:stuck_out_tongue: Save $96 at Dreamhost with the 96DOLLARSOFF promo code.

If it is php you could add something similar:


This will remove anything between less than and Greater than symbols(<, >) and if the greater than symbol is missing then everything after the less than symbol will be removed.
However for a text box, that a user may want to use the less than or greater than symbol then you could use:


This will convert <, >, ", ’ to & lt, & gt, & quot(I had to place a space between the & and the code for it to display in this forum) plus others I don’t remember. :frowning:

Here is a chunk of the php (I would rather post it than have it be screwed with)

// get posted data into local variables
$From = “Web User”;
$To = "";
$About = “Contact Form”;
$Name = Trim(stripslashes($_POST[‘Name’]));
$Address = Trim(stripslashes($_POST[‘Address’]));
$City = Trim(stripslashes($_POST[‘City’]));
$State = Trim(stripslashes($_POST[‘State’]));
$Zip = Trim(stripslashes($_POST[‘Zip’]));
$Phone = Trim(stripslashes($_POST[‘Phone’]));
$Email = Trim(stripslashes($_POST[‘Email’]));
$Date = Trim(stripslashes($_POST[‘Date’]));
$Location = Trim(stripslashes($_POST[‘Location’]));
$Text = Trim(stripslashes($_POST[‘Text’]));

// validation
if (Trim($Email)=="") $validationOK=false;
if (!$validationOK) {
print “<meta http-equiv=“refresh” content=“0;URL=error.htm”>”;

All email from this form has "“Web User"” as the “From”

I don’t use any user form entered data to form the message header. Does that make this safe?