<?php
/*******************************************************************
* Anti-Spam Injection Mail
* by CS Wagner <cs@kainaw.com>
********************************************************************
* FOUND SOMETHING WRONG WITH THIS SCRIPT???
* FOUND A WAY TO IMPROVE THIS SCRIPT???
* Let me know!  Just drop me an email. - cs@kainaw.com
********************************************************************
* There is no license fee or cost for copying and using this code.
* Please use it everywhere you would normally use the normal PHP
* mail() function.  Have your friends (and enemies) use it as well.
* Together, we can cut down on spam injection.
********************************************************************
* This file contains one function: as_mail()
* The as_mail() function is purposely made to function identically
* to the normal PHP mail() function.  All parameters are the same
* and accept the same values.  The return value is still boolean,
* true if the mail is sent and false if it is not.
* An added (global) variable, $AS_MAIL_ERROR, is used to get the
* reason as_mail refuses to send an email.  The reasons are:
* 1) The $to field is not a single valid email address.
* 2) The $subject field contains newlines.
* 3) The $subject or $message contains header fields.
* 4) The $additional_headers contains invalid headers.
********************************************************************
* There are some limitations that must be accepted to effectively
* catch malicious use of the mail function.
* 1) Hex characters in email will be decoded into the characters
*    they represent.
* 2) The $to field cannot contain multiple email addresses.
*    However, you can call as_mail once for each address you want
*    to send an email to.
* 3) The $message cannot contain header fields:
*    Content-Transfer-Encoding
*    MIME-Version
*    Content-Type
* 4) The $additional_headers cannot contain extra To, CC, or BCC
*    header fields.
********************************************************************/

$AS_MAIL_ERROR = ""; // A variable to store the reason for refusing to send mail
function as_mail($to, $subject, $message, $additional_headers="", $additional_parameters="")
{
    global $AS_MAIL_ERROR;

    // Decode hex code
    $to = urldecode($to);
    $subject = urldecode($subject);
    $message = urldecode($message);
    $additional_headers = urldecode($additional_headers);
    $additional_parameters = urldecode($additional_parameters);

    // Ensure the TO email address is valid
    if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*@([a-z0-9]+([\.-][a-z0-9]+)*)+\\.[a-z]{2,6}$",$to))
    {
        $AS_MAIL_ERROR = "Invalid 'to' email address: ".$to;
        return false;
    }
    // SUBJECT cannot contain newlines
    if(eregi("(\r|\n)", $subject))
    {
        $AS_MAIL_ERROR = "Subject contains newlines: ".$subject;
        return false;
    }
    // Check SUBJECT and MESSAGE for header fields
    $headers = array("Content-Transfer-Encoding", "MIME-Version", "Content-Type");
    foreach($headers as $header)
    {
        if(stripos($subject.$message, $header) !== false)
        {
            $AS_MAIL_ERROR = "Subject or message contains the header field $header";
            return false;
        }
    }
    // Check ADDITIONAL_HEADERS for new emails
    $headers = array("\r\n\r\n", "To:", "CC:", "Bcc:");
    foreach($headers as $header)
    {
        if(stripos($additional_headers, $header) !== false)
        {
            $AS_MAIL_ERROR = "Additional Headers contains the header field $header";
            return false;
        }
    }

    return mail($to, $subject, $message, $additional_headers, $additional_parameters);
}
?>