This is a secure unsubscribe form that is resistant to injection type attacks and other vectors. It should be set up behind a valid SSL certificate, in a hardened server environment.
I. Testing Environment
- Download VMware player for windows from http://www.vmware.com/download/player/download.html and install it
Install it following on screen instructions.
- Download LAMP Virtual Machine from TurnkeyLinux.com using one of the following links:
http://www.turnkeylinux.org/download?file=turnkey-lamp-12.1-squeeze-amd64-vmdk.zip
or
http://sourceforge.net/projects/turnkeylinux/files/vmdk/turnkey-lamp-12.1-squeeze-amd64-vmdk.zip/download?use_mirror=iweb
Unzip it and double click the file: turnkey-lamp-12.1-squeeze-amd64.vmx
- The Virtual machine will start and ask for some options such as root password, mysql root password etc
Once finished your computer will have running a lamp virtual machine
record the network parameters that the installation wizard gives so you can access the virtual machine.
II. Installing the scripts
Log into your VM machine pointing your browser to the IP address given by the installation wizard in this example is 192.168.147.138. NOTE: in order for the Webmin interface to work you need Java Run time environment (JRE) installed and enabled in the computer that will access the VM machine remotely
Click on Webmin to access the login screen
Username is root and the password the one you setup when installing the VM, click on login
Once inside Webmin click Tools->File Manager
If a window appears titled “Java Update Needed” please select the option “Later”
If a security warning window appears press “Continue”
Now you will need to upload the following files to the Virtual Machine in /var/www that is the root of the webserver.
• home.html
• filter.js
• filter.php
• form-style.css
• unsubscribe.log
• unsubscribe.txt
NOTE: You can also create a directory under /var/www and install the same files but keep in mind the name of the folder in order to access the scripts, if you choose to do so just keep all the files in the same folder/directory. To upload use upload button in the file manager
or using the menu from the webmin interface Tools->Upload and Download
The files must have the following permissions and ownership
III. File permissions and ownership
- home.html, filter.js, filter.php and form style.css must be owned by root and belong to root group
- unsubscribe.log and unsubscribe.txt must be owned by the user that executes the webserver in this case www-data and group www-data, in other platforms the user is nobody
- The file permission for all the files must be 644 or rw-r-r
To change verify the ownership and permissions open a command console either from the main webpage of the turnkey VM interface or using ssh
Logout form Webmin
enter the IP address of the webserver in this case 192.168.147.138
You will receive the following screen
Enter user root and your password
Now enter the following commands:
cd /var/www
ls -la
You will have an output very similar to this:
if the ownership is not the correct you can fix it by executing the following command
chown root:root FILE
where FILE is one of the following: home.html, filter.js, filter.php or form style.css files
For unsubscribe.txt and unsubscribe.log you can execute:
chown www-data:www-data unsusbscribe.*
If the files unsubscribe.log and unsubscribe.txt are not present you can create them with the following commands:
touch unsubscribe.log
touch unsubscribe.txt
chown root:root FILE
where FILE is one of the following: home.html, filter.js, filter.php or form style.css files and
chown www-data:www-data unsusbscribe.*
chmod 644 FILE
Where FILE is each name of the files that belong to the script.
IV. Installing in production environment
The production environment could be different than the one for test but the following points must be observed
1. All the files must be in the same directory
2. The file permissions must be 644 or rw-r-r
3. The ownership must follow the guidelines described in the section III “File Permissions and ownership”
HTML Form
Copy and paste the code to home.html
<!DOCTYPE html> <html lang=”en“> <head> <meta charset=”utf-8“> <title>Unsubscribe email</title> <link rel=’stylesheet‘ href=’form-style.css‘ type=’text/css‘ /> </head> <body onload=’document.form1.text1.focus()‘> <div class=”mail“> <h2>Input an email and Submit</h2> <form name=”form1” action=”filter.php” method=”post“> <ul> <li><input type=’text‘ name=’text1‘/></li> <li> </li> <li class=”submit“><input type=”submit” name=”submit” value=”Submit” onclick=”return ValidateEmail(document.form1.text1)“/></li> <li> </li> </ul> </form> </div> <script src=”filter.js“></script> </body> </html>
CSS
Copy and paste to form-style.css
li {list-style-type: none;
font-size: 16pt;
}
.mail {
margin: auto;
padding-top: 10px;
padding-bottom: 10px;
width: 470px;
background : #e9b663;
border: 1px soild silver;
}
.mail h2 {
margin-left: 38px;
}
input {
font-size: 20pt;
}
input:focus, textarea:focus{
background-color: lightyellow;
}
input submit {
font-size: 12pt;
}
.rq {
color: #FF0000;
font-size: 10pt;
}
Filter.php
Copy and paste to filter.php
<?php
//error_reporting(E_ALL); ini_set(‘display_errors’,’1′);
$errors = ”;
$email_address = $_POST[‘text1’];
if (preg_match(“/^(?=.{6,45}$)[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i”,$email_address))
{
$mylist = “unsubscribe.txt”;
$fh = fopen($mylist, ‘a’) or die(“can’t open file”);
$stringData = $email_address . “\n”;
fwrite($fh, $stringData);
fclose($fh);
echo “Thanks! Your email ” . $email_address . ” will be removed from our lists\n”;
}
else
{
$errors .= “\n Error: Invalid email address”;
$mylog = “unsubscribe.log”;
$flh = fopen($mylog, ‘a’) or die(“can’t open file”);
$stringlogData = $errors;
fwrite($flh, $stringlogData);
fclose($flh);
echo “Sorry, but yor email ” . $email_address . ” is an invalid email address\n”;
}
?>
filter.js
Copy and Paste to filter.js
function ValidateEmail(inputText)
{
var mailformat = /^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/;
if(inputText.value.match(mailformat))
{
document.form1.text1.focus();
return true;
}
else
{
alert(“You have entered an invalid email address!”);
document.form1.text1.focus();
return false;
}
}
Author Gregorio Narvaez for Debbie Ridenour, Russell Rockefeller