SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Enthusiast Brocberry's Avatar
    Join Date
    Sep 2009
    Location
    England
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation I added this form-code tonight and now my host is warning me I'm spamming!

    It might not be this code because when I download the contact.php file from my webspace it looks the same as when I uploaded it, like this:

    PHP Code:
     <?php
        $to 
    "email address deleted for posting";
        
    $name $_REQUEST['name'];
        
    $subject " Contact Form Enquiry from $name";
        
    $email $_REQUEST['email'] ;
        
    $message $_REQUEST['message'] ;
        
    $headers "From: $email";
        
    $sent mail($to$subject$message$headers) ;
        if(
    $sent)
        {include 
    'thankyou.html';}
     exit();
        
    ?>
    Is the include vulnerable?

    Is this form rubbish?

    My host sent me an automated message telling me I'm either mass-mailing (which I'm not) or that it's possibly this problem http://en.wikipedia.org/wiki/Remote_File_Inclusion

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,255
    Mentioned
    196 Post(s)
    Tagged
    2 Thread(s)
    Looks rubbish to me. Using REQUEST instead of POST, using user input directly without any validation or sanitization. Search for "header injection", and find something else IMHO.

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    No validation whatever so any spammer can use that script to send anything to anyone and all from any email address they choose to claim as the sender as well.

    Malicious software like that needs to be deleted immediately it is discovered and you need to track down where it came from to make sure you don't get anything more like that given to you to make the spammers job of spamming everyone infiniitely easier.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Enthusiast Brocberry's Avatar
    Join Date
    Sep 2009
    Location
    England
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The contact.html form was sending the entries to contact.php. The form in the html page has been deleted and the php has been deleted. I'm not sure if there's anything else to delete?

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Only the malware script you posted above needed deleting. If you were to replace that malware with a proper form2mail script then the rest of what you had would almost certainly still be usable.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Enthusiast Brocberry's Avatar
    Join Date
    Sep 2009
    Location
    England
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How should I improve the code - what's a proper form2mail script?

    The actual markup in contact.html looks like this.

    <form id="thisform" method="post" action="contact.php">
    The code in the thread's first post is from the php page contact.php

  7. #7
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,435
    Mentioned
    82 Post(s)
    Tagged
    3 Thread(s)
    You can check out the info on the site below. He also has some code you can use.
    http://www.stevedawson.com/article0015.php

  8. #8
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This code is invulnerable
    PHP Code:
    <?php
    if ($_SERVER['REQUEST_METHOD']=='POST') {
      
    $to "email address deleted for posting";
      
    $subject " Contact Form Enquiry";

      
    $message "Name: ".$_REQUEST['name']."\r\n";
      
    $message.= "E-mail: ".$_REQUEST['email']."\r\n\r\n";
      
    $message.= $_REQUEST['message'];

      
    mail($to$subject$messages);

      
    header('Location: thankyou.html');
    }
    ?>
    There is no problem with include. Yo've got mail injection probably.
    Put user input into message body only and you're safe

  9. #9
    SitePoint Guru silver trophy JamesColin's Avatar
    Join Date
    May 2009
    Location
    Jomtien, Pattaya, Thailand
    Posts
    910
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you think that having the visitor's email in the header is convenient to reply to him directly, then you should make sure it is valid first:

    Code:
    function validateEmail($email)
    {
       if(eregi('^[a-zA-Z0-9._-]+@[a-zA-Z0-9-]+\.[a-zA-Z]{2,4}(\.[a-zA-Z]{2,3})?(\.[a-zA-Z]{2,3})?$', $email))
          return true;
       else
          return false;
    }
    If it is a valid email then use it in header, if not then display it in the content of the email like Shrapnel N5 suggested, so you can see why it didn't validate.
    Do you really need traffic? Where to? What for?
    If you really do need traffic then stop messing around!
    Advertise on my sites today: She Told Me & Best Reviewer :
    200,000+ UV / Month

  10. #10
    SitePoint Enthusiast Brocberry's Avatar
    Join Date
    Sep 2009
    Location
    England
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rubble, thanks, I'll take a look at that page shortly.

    Shrapnel, I used that code and tested it and received an email from my host's server but there was no message or email address etc. I tried to play with it so that all info was contained in the final $message but I couldn't manage it - I renamed the earlier variable for email etc but couldn't get them all to appear in the message body - I tried to put the three info sources into an array called $message but it's not working yet... some more playing needed yet.

    James, I will come back to that and make an effort to get it into the final code, but firstly I just want to make it safe. But, yes, I do want to be able to simply click reply.

  11. #11
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    looks like you have no idea what are you doing.
    did you ever try to read mail() function manual and see what do all variables mean?

    yes, there is mistake, must be $message, not messages in mail()
    and should work fine. no rocket science inside.

    and you are able to quick reply. just click on email when read message

  12. #12
    SitePoint Guru silver trophy JamesColin's Avatar
    Join Date
    May 2009
    Location
    Jomtien, Pattaya, Thailand
    Posts
    910
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shrapnel_N5 View Post
    and you are able to quick reply. just click on email when read message
    Then you would lose the visitor's message, no? You'd have to copy/paste it if you want to reply to several parts of the message.
    Do you really need traffic? Where to? What for?
    If you really do need traffic then stop messing around!
    Advertise on my sites today: She Told Me & Best Reviewer :
    200,000+ UV / Month

  13. #13
    SitePoint Enthusiast Brocberry's Avatar
    Join Date
    Sep 2009
    Location
    England
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shrapnel_N5 View Post
    looks like you have no idea what are you doing.
    message
    Well, thanks for putting that way lol, what exactly were you expecting from someone with a problem with a simple form?

    I do appreciate your help, and yes your form does work with the s deleted.

  14. #14
    SitePoint Enthusiast Brocberry's Avatar
    Join Date
    Sep 2009
    Location
    England
    Posts
    99
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My host has been back to me and said that the spam was created after hackers exploited a vulnerability in the WYSIWYG text editor on another site that I'm sharing the hosting with.

    Still, back tomorrow to get this form sorted.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •