Email enquiry problem

Hi there,

I have programmed a simple online enquiry form with a captcha form.
All form elements are client-side validated;
Name required, number (regexp), email (regexp), characters not allowed in message (regexp).

But I am still recieving the following enquiries, and am confused as to how I can stop this.


A user pmjxvlo submitted the contact form:

Name: pmjxvlo
Email: vleijk@phcdiv.com
Contact Number: EPTvsDBCkphwDlVEh

Message:
pedZAR <a href=\“http://feethehrhml.com/\\”>ferhthghrhejxml</a>, [link=http://spammylink.com/]spammylink[/link], [link=http://spammylink.com/]thehrhthrheh[/link], [noparse]http://birhthrhehrhz.com/[/noparse]

IP: 91.232.96.8

Looks like you need better data filtering. Feel free to show us the code you are using currently.

Clientside is jquery validation.

<label>Name:</label><input name="name" type="text" value='<?php echo htmlentities($name) ?>' class="validate[required] text-input" />
<label>Email:</label><input name="email" type="text" value='<?php echo htmlentities($visitor_email) ?>' class="validate[required,custom[email]] text-input"/>
<label>Phone:</label><input name="phone" type="text" value='<?php echo htmlentities($visitor_phone) ?>' class="validate[required,custom[phone]] text-input"/>
<label>Message:</label><textarea name="message" rows=8 cols=50 class="validate[required,custom[onlyLetterNumber]] text-area"><?php echo htmlentities($user_message) ?></textarea>

Calling the relevant regexp:
                "phone": {
                    // credit: jquery.h5validate.js / orefalo
                    "regex": /^([\\+][0-9]{1,3}[\\ \\.\\-])?([\\(]{1}[0-9]{2,6}[\\)])?([0-9\\ \\.\\-\\/]{3,20})((x|ext|extension)[\\ ]?[0-9]{1,4})?$/,
                    "alertText": "* Invalid phone number"
                },
                "email": {
                    // HTML5 compatible email regex ( http://www.whatwg.org/specs/web-apps/current-work/multipage/states-of-the-type-attribute.html#    e-mail-state-%28type=email%29 )
                    "regex": /^(([^<>()[\\]\\\\.,;:\\s@\\"]+(\\.[^<>()[\\]\\\\.,;:\\s@\\"]+)*)|(\\".+\\"))@((\\[[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\])|(([a-zA-Z\\-0-9]+\\.)+[a-zA-Z]{2,}))$/,
                    "alertText": "* Invalid email address"
                },
                "onlyLetterNumber": {
                    "regex": /^[0-9a-zA-Z' ]+$/,
                    "alertText": "* No special characters allowed"
                },

Also serverside double checks the message using the following function.

function IsInjected($str)
{
$injections = array(‘(
+)’,
‘(\r+)’,
‘(\ +)’,
‘(%0A+)’,
‘(%0D+)’,
‘(%08+)’,
‘(%09+)’
);
$inject = join(‘|’, $injections);
$inject = “/$inject/i”;
if(preg_match($inject,$str))
{
return true;
}
else
{
return false;
}
}

Ultimately, JS is useless for validation, as it can simply be turned off. It can enhance the form, but is not enough on its own. The PHP $injections code is pretty light on, as it doesn’t check for much. You can write complex regular expressions for fields like name and email, or you can use some PHP defaults, like

($_POST[‘name’], FILTER_SANITIZE_STRING)

and

($_POST[‘email’],FILTER_VALIDATE_EMAIL)

No javascript!
Of course, why did I not think of the obvious?

Thanks for that, will tighten up serverside.