I'm trying to create a form processing script that is hacker/spammer proof. Below are the steps that I'm using. Please provide comments about how it might be hacked and how I can improve it.

1. At the beginning of the script,

$sendit=0;
$fakesend=0;
The recipient and subject line is specified in the script, not on the form.

2. The script checks the required fields to make sure that they are filled out. If a required field is not filled out, the user must go back and fill it in.

3. The script checks to make sure the form is POSTed.


if (strtoupper($_SERVER['REQUEST_METHOD']) != "POST") {
$sendit = 1;
$errormsg .= "Only POST method is allowed.<br>";
}


4. The script checks to make sure there was data in the form.


if (!strlen($HTTP_POST_VARS)) {
$sendit = 1;
$errormsg .= "No data was provided.<br>";
}


5. The script checks to make sure the submitter's email address is valid.


$pattern = "^([._a-z0-9-]+)@[a-z0-9-]+(\.[a-z0-9-]{2,})+$";
if(eregi($pattern,$_POST['Email'],$matches)){
$sendit = 0;
}else{
$sendit = 1;
$errormsg .= "Email address you submitted is invalid.<br>";
}


6. The script checks each field's data against a known list of spam words (mostly drugs, casinos, etc.). If an input contains a word that is a spam word,
$fakesend = 1.

7. The form checks to see if /r, /n, MIME-Version, or the domain name of the site was used in the form inputs.


if (eregi("\r",$name) || eregi("\n",$name) || eregi("MIME-Version:",$name) || eregi($emailsuffix,$name)){
$sendit = 1;
}


8. If $sendit = 1, the form displays an error to the user and what caused the error. If $sendit = 0, the script continues.

9. The message body is created.


$thebody .= htmlspecialchars(urldecode($key)).": ".htmlspecialchars(urldecode($value))."\n";


10. If $fakesend=1, the script sends the user to the thank you page without sending out an email. If $fakesend=0, the script sends the email to the recipient and sends the user to the thank you page.


$hd = "From: ".$esend1."\r\n";
$hd .= "Reply-To: ".$esend1."\r\n";
$hd .= "Return-Path: ".$esend1."\r\n";
$hd .= "CC: \r\n";
$hd .= "BCC: \r\n";

if($fakesend == 0){
$emailsuccess = mail($erec1, $esub1, $ebod1, $hd);
}

header("Location: $thankpg");

You might want to consider also using strip_tags() and trim()

I believe it should be safe to check for the existence of the relevant elements of $_POST instead of using $_REQUEST and then checking of the form was submitted via the post method. You should do this by using isset or empty(), not by using strlen() unless you are also checking if a certain user input was of a required length. Using it on an array like $HTTP_POST_VARS is wrong, and using $HTTP_POST_VARS is wrong as now you should use $_POST.

The use of eregi() should be replaced by the use of preg_match() as the ereg functions are being phased out.

Now, with respect to the "hacker/spammer proof" thing: your idea is to pretend that you are sending out the email when you are not? From what I see, this will not prevent a spammer from continuing to spam with your form. The typical way to prevent that would be to use a CAPTCHA, though bots can be tailored to break some CAPTCHAs.

You will definitely want to strip out unwanted line breaks from any email headers (e.g. subject, from) - personally I'd create a wrapper function which checks for unwanted line breaks and use that instead of mail() everywhere in your application.

As far as stopping spammers submitting your form - none of the above will have any effect to do that. Spammers write bots which submit any form they can find, frequently with junk / random / made-up values for the fields. Your validation will probably pass on them at least some of them - they're mostly fishing for vulnerable forms.

If you want robots not to submit your form, use a captcha. If it doesn't matter too much if robots submit your form, let them anyway but provide a way of easily cleaning up any junk created by them (and ensure that it can't be used to send email spam).

Mark