<?php

/* All form fields are automatically passed to the PHP script through the array $HTTP_POST_VARS. */

$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$message = $HTTP_POST_VARS['message'];
$to  = "non-malicious@example.net";  // here we set the email to the address we want it to go to.

// Strip \r and \n and a bunch of other naughty characters from the email address

  $pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // no piping, passing possible environment variables ($),
                           // seperate commands, nested execution, file redirection,
                           // background processing, special commands (backspace, etc.), quotes
                           // newlines, or some other special characters
                           
  $name = preg_replace($pattern, "", $name);
  $email = preg_replace($pattern, "", $email);
  $message = preg_replace($pattern, "", $message);

// Remove injected headers
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$email = preg_replace($find, "**bogus header removed**", $email);
$message = preg_replace($find, "**bogus header removed**", $message);
$name = preg_replace($find, "**bogus header removed**", $name);

$find_bogus = "**bogus header removed**";

// setting address to another address.
// this way we can never lose an email,
// know when dumbheads are messing with us,
// and not bother clients with this sort of thing


  if(stristr($message, $find_bogus) !== FALSE) {
        $to = "malicious@example.net";  }

  if(stristr($name, $find_bogus) !== FALSE) {
        $to = "malicious@example.net";
}

  if(stristr($email, $find_bogus) !== FALSE) {
        $to = "malicious@example.net";
}


        $sendthis = "NAME\n$name \n\nEMAIL\n$email \n\nMESSAGE\n$message"; // compose the message

/* PHP form validation: the script checks that the Email field contains a valid email address and the Subject field isn't empty. preg_match performs a regular expression match. It's a very powerful PHP function to validate form fields and other strings - see PHP manual for details. */
if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,6}$", $email)) {
  echo "<h2 style=\"color: red;\">It appears you entered an invalid email address</h2>";
  echo "<p><a href='javascript: history.go(-1)'>Please go back and enter a valid email address.</a></p>";
} elseif (!trim($name)) {
  echo "<h2 style=\"color: red;\">Please go back and enter a name</h2>";
  echo "<p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}

 elseif (!trim($message)) {
  echo "<h2 style=\"color: red;\">Please go back and type a message</h2>";
  echo "<p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}

 elseif (!trim($email)) {
  echo "<h2 style=\"color: red;\">Please go back and enter an email</h2>";
  echo "<p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}

// Sends the mail and outputs the "Thank you" string if the mail is successfully sent, or the error string otherwise.
elseif (mail($to,"contact via the website",$sendthis)) {
  echo "<h2>Thank You</h2><p>We will be in touch as soon as possible.</p>";
echo<<<END
        <p>$email</p>
        <p>$message</p>
        <p>$name</p>
        <p>$to</p>
END;
} else {
  echo "<h4>An unknown error occured. Please try again.</h4>";
}
?>