SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot
    Join Date
    Nov 2006
    Posts
    119
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    too many hits php script

    I'm using this Flash form on my site to have people send their messages to me. Using LoadVars, it sends the input to a php scripts. The php script checks the input for errors and if everything is ok, send the message to my email. Looking at my statistics however, I noticed that this php file is accessed more than I get emails. For example, my statistics page would say:

    phpscripts/mailform.php 25

    for this month, but in this month I only received 6 emails.

    I've taken into account that users made mistakes filling in my form. That wouldn't lead to an email, but the php file would be accessed nevertheless. So let's say 5 people did that. I then would expect to have gotten 20 emails.

    Is there something wrong with my actionscript or php script? Or is there some other reason for these extra hits on the php file? It's location isn't mentioned in the html, just in the Flash file.

    Can someone give me an explanation?

    The AS2:
    Code:
    stop();
    //When using TAB key only input fields are allowed to
    //be moved through
    
    naam.tabIndex = 1;
    email.tabIndex = 2;
    bericht.tabIndex = 3;
    
    //Scrolling arrows function
    //In case of large text being typed into the message  
    //field, the text can be scrolled with the arrow buttons
    
    Hoog.onRelease = function() {
    	bericht.scroll = bericht.scroll-1;
    };
    Laag.onRelease = function() {
    	bericht.scroll = bericht.scroll+1;
    };
    
    //When an error has been found in a field, the error
    //message "Niet (goed) ingevuld" is put inside  it and when  
    //clicked on that input field the field is cleared so it 
    //can be typed in again
    
    naam.onSetFocus = function(oldFocus) {
    	if (naam.text == "Niet (goed) ingevuld") {
    		naam.text = "";
    	}
    };
    email.onSetFocus = function(oldFocus) {
    	if (email.text == "Niet (goed) ingevuld") {
    		email.text = "";
    	}
    };
    bericht.onSetFocus = function(oldFocus) {
    	if (bericht.text == "Niet ingevuld") {
    		bericht.text = "";
    	}
    };
    
    //Sending typed name, email address and message text
    //variables to php mailform.php script
    
    Versturen.onRelease = function() {
    	mySendVars = new LoadVars();
    	myLoadVars = new LoadVars();
    	mySendVars.naam = naam.text;
    	mySendVars.email = email.text;
    	mySendVars.bericht = bericht.text;
    	mySendVars.sendAndLoad("mailform.php", myLoadVars, "POST");
    	gotoAndStop(2);
    	
    	//The returned variables indicate whether there 
    	//was an error in one or more input fields
    	//In case of no error the email has already been 
    	//sent by the php script and Flash goes to frame 3 
    	//of the movieclip, showing the Thank-You screen
    	
    	myLoadVars.onLoad = function(success) {
    		if (success) {
    			if ((myLoadVars.naam != "error") && (myLoadVars.email != "error") && (myLoadVars.bericht != "error")) {
    				gotoAndStop(3);
    			} else {
    				
    				//In case of an error the error message 
    				//is displayed in red characters in 
    				//the input field(s) which has the error
    				gotoAndStop(1);
    				if (myLoadVars.naam != "error") {
    					naam.text = mySendVars.naam;
    				} else {
    					naam.text = "Niet (goed) ingevuld";
    					naamformat = new TextFormat();
    					naamformat.color = 0xFF0000;
    					naam.setTextFormat(naamformat);
    				}
    				if (myLoadVars.email != "error") {
    					email.text = mySendVars.email;
    				} else {
    					email.text = "Niet (goed) ingevuld";
    					emailformat = new TextFormat();
    					emailformat.color = 0xFF0000;
    					email.setTextFormat(emailformat);
    				}
    				if (myLoadVars.bericht != "error") {
    					bericht.text = mySendVars.bericht;
    				} else {
    					bericht.text = "Niet ingevuld";
    					berichtformat = new TextFormat();
    					berichtformat.color = 0xFF0000;
    					bericht.setTextFormat(berichtformat);
    				}
    			}
    		}
    	};
    };
    The php script mailform.php:
    Code:
    <?php
    
    /* Email settings, doing some basic filtering */
    /* Used by Flash form so utf8 decode neccessary for allowing international (accented) characters */
    /* (utf8 decode turns everything to iso 8859-1) */
    /* Using stripslashes so names like O'Brien don't get converted to O/'Brien when posted by Flash */
    
    $to = "test@mail.nl";
    $subject = "Request for information";
    $naam = stripslashes(utf8_decode($_POST["naam"]));
    $email = stripslashes(utf8_decode($_POST["email"]));
    $bericht = stripslashes(utf8_decode($_POST["bericht"]));
    
    /* Convert newline codes to correct newlines to that each paragraph starts on a new line */
    
    $bericht = preg_replace('~\r(?!\n)|(?<!\r)\n~', "\r\n", $bericht);
    
    /* To protect agains email injection, some regular expressions to validate inputed values */
    /* Checking for a proper name, including accented characters, apostrophe, space and hyphen */
    /* Hexadecimal codes used to allow accented characters */
    
    if (!preg_match('~^[a-z\xC0-\xFF][a-z\xC0-\xFF \-\']*$~i', $naam)) {
    $naam = "error";
    /*echoes are used the send variables back to Flash again */
    echo "&naam=error&";
    } else {
    echo "&naam=correct&";
    }
    
    /* Checking for properly formed email address*/
    
    if (!preg_match('~^[a-z0-9][a-z0-9_.\-]*@([a-z0-9]+\.)*[a-z0-9][a-z0-9\-]+\.([a-z]{2,6})$~i', $email)) {
    $email = "error";
    echo "&email=error&";
    } else {
    echo "&email=correct&";
    }
    
    /* Has a message been filled in? */
    
    if (!$bericht || $bericht == "Niet ingevuld") {
    $bericht = "error";
    echo "&bericht=error&";
    } else {
    echo "&bericht=correct&";
    }
    
    /* Everything is ok and mail will be sent as plain text mail */
    /* When sending as html text mail, the use of htmlentities on the message is advised */
    /* That way the message part can't be used to input malicious scripts */
    if ($naam != "error" && $email != "error" && $bericht != "error") {
    
    $message = "Naam:\r\n".$naam."\r\n\r\n";
    $message .= "Emailadres:\r\n".$email."\r\n\r\n";
    $message .= "Bericht:\r\n".$bericht."\r\n";
    
    $headers = "MIME-Version: 1.0\r\n";  
    $headers .= "Content-type: text/plain; charset=iso-8859-1\r\n";
    $headers .= "From: ".mb_encode_mimeheader($naam, "iso-8859-1", "Q")." <".$email.">\r\n";  
    
    mail($to, $subject, $message, $headers);
    
    }
    ?>

  2. #2
    SitePoint Zealot Mattinblack's Avatar
    Join Date
    May 2009
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah you are being hacked by a bot. Possibly unintentionally by a search engine but there are many bots that wander the web looking for vulnerable forms to compromise.

    Try looking at the user agents that looked at the script (if your stats let you)

    You have a BIG security hole in your PHP. At the head of the script you should check to see if the page it is being called from is an allowed page and if not sleep 15 seconds then die. Otherwise anybodty can call it from anywhere especially after you posted it on here... there are people who would think it funny to send you 85000 copies of the bible to fill up your email inbox using a script on your own site...

  3. #3
    SitePoint Zealot
    Join Date
    Nov 2006
    Posts
    119
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah you are being hacked by a bot.
    How does a bot know there is a mailform.php file if it isn't mentioned in the html file? It's existance/location is only mentioned in the flash form.

    especially after you posted it on here
    Well, I've replaced certain words in the php script with others (like the filename, the location and the email address), just in case any bad people wanted to take advantage of it

    You have a BIG security hole in your PHP. At the head of the script you should check to see if the page it is being called from is an allowed page and if not sleep 15 seconds then die.
    If I were to add this in my Flash file as an extra variable to send to the php script:
    Code:
    mySendVars.password = "mangojuice";
    And upon sending to my php script check for it like this:
    Code:
    $naam = $_POST["password"];
    if [password!= "mangojuice") {
    echo "Don't touch my script!";
    exit;
    }
    That would take care of that security risk you mentioned wouldn't it? I mean, now it only could run if it had been accessed by the flash file?

    And if 'hacked' by a search engine bot I would probably just have to add a robots.txt file disallowing this particular php file or the folder my php scripts are located?

  4. #4
    SitePoint Zealot Mattinblack's Avatar
    Join Date
    May 2009
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah the mango juice would be cool. I think you are missing the fact that mailform is an obvious and common file name for a mail form. there is even a script called mailform that has a mailform.php file... so maybe change the filename too.

  5. #5
    SitePoint Zealot
    Join Date
    Nov 2006
    Posts
    119
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, in fact I don't use mailform.php but a lot less obvious filename.

    Anyway, besides this security fix the only thing left would be to add a robots.txt file to prevent at least search engine bots from seeing my php file?

    I will be curious to see if the hits to tthe php file / received emails will be the same more or less next month...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •