filter messages

[Drummin]

Hello,

I have a client with a "contact us" form who has recently been receiving a lot of spam emails from the form.  I already have a session set in place so the form is only active one time.  I am now creating a filter for the message to look for things like a url or bb style codes etc.  What I've got seems to be working but would like your thoughts on maybe a better way of doing it or if you see something I may be missing.  IF an offending text is detected the ip address is sent to me and I can block ip from the site.  If the message passes it is sent to the client.  This is the related code.

<?php
$themessage=str_replace("\r",'<br>',$_POST['message']);

$badwords=array("[", "url", "http", "link", ".com", ".net", ".org", ".biz", "<");
$o=0;
foreach($badwords as $key2 => $value2){
    $pos = strpos($themessage, $value2); 
if ($pos==0) {
}
else{ 
$o=$o+1;
}
} 
if ($o==0) {
//compose and send email to client
}
else{
$useraddress=$_SERVER['REMOTE_ADDR'];
//compose and send email to me containing offending address
}
?>

[Pikachu2000]

More importantly, do you have logic in place to prevent email header injection?

[Drummin]

Well I have each post of the form validated with different preg_match IF statements like below.  If any of them don't pass we don't move on to the filter check/email section.  Not sure if this is enough though.

if (preg_match('/([a-zA-Z]{2,200})/', $_POST['message']))

[requinix]

It's more complicated than that. Can you post your entire code?

[xyph]

CAPTCHA was designed for this. Though it's not foolproof, it's hard. Generally, if the form is only going to one person, it's not worth breaking a service like reCATCHPA.

[Drummin]

I thank you for the replies.  As far as email injection, I don't know if that applies in this case as who the emails are sent to and who it's from is not related to the form at all.  There is a small group of recipients (client added) stored in an array, who the message is sent to and it's sent from the domain email address.  I will post the relavent code leading up to where the filter is anyway.

if(isset($_POST['submit']) && $_POST['submit']=="Submit"){
if(!empty($_POST['name'])){
if (preg_match('/([a-zA-Z]{2,20})/', $_POST['name'])){
$nbad='f';
}else{
$nbad='t';
$showform='t';
$nmessage="<span class=\"error\">Two letters or more required</span>";
}
}else{
$nbad='t';
$showform='t';
$nmessage="<span class=\"error\">Please add your name</span>";
}
//email
if(!empty($_POST['email'])){ 
if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
$ebad='f';
}else{
$ebad='t';
$showform='t';
$emessage="<span class=\"error\">E-mail is not valid</span>";
}
}else{
$ebad='t';
$showform='t';
$emessage="<span class=\"error\">Please enter an Email Address</span>";
}
//subject

if(!empty($_POST['subject'])){
if (preg_match('/([a-zA-Z]{2,20})/', $_POST['subject'])){
$sbad='f';
}else{
$sbad='t';
$showform='t';
$smessage="<span class=\"error\">Two letters or more required</span>";
}
}else{
$sbad='t';
$showform='t';
$smessage="<span class=\"error\">Please add a subject</span>";
}
//message
if(!empty($_POST['message'])){
if (preg_match('/([a-zA-Z]{2,200})/', $_POST['message'])){
$mbad='f';
}else{
$mbad='t';
$showform='t';
$mmessage="<span class=\"error\">Two letters or more required</span>";
}
}else{
$mbad='t';
$showform='t';
$mmessage="<span class=\"error\">Please add a message</span>";
}
//IF values good
IF ($nbad=='f' && $ebad=='f' && $sbad=='f' && $mbad=='f' && !isset($_SESSION['showform'])){