PHP Form running a permanent server process?

[execute]

Hi,

 

I am a web developer but with limited PHP Knowelege, i have created a form over the years which i belive i have improoved to the best of my ability, it is used on a wide number of websites, however, recently i have had an automated email from heart internet which specifies the following:

 

Our automatic server monitoring system has detected that your site xyz.com is running a permanent server process

 

I have contacted heart and await a reply, only 1 of 2 things can be casuing this problem, either the below script or the fact the website contains an wma file without streaming.

 

I would like, if possible, that anyone with superiod PHP knowelege, check this form and see if i have indirectly left something unclosed or looped, id appreciate any help on this.

 

Thanks a lot in advance.

 

Steve

 

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{

function validate_email($email) {
return preg_match('/^[A-Za-z0-9_\-\.]+@[A-Za-z0-9_\-\.]+\.[A-Za-z0-9_\-\.]+$/', $email) == 0;
}

if ($_POST['fname'] =='') {
$errors.="<br />You did not enter a forename.";
}

if ($_POST['sname'] =='') {
$errors.="<br />You did not enter a surname.";
}

if (validate_email($_POST['email']) ) {
$errors.="<br />You did not enter a valid email.";
}

if ($_POST['number'] =='') {
$errors.="<br />You did not enter a telephone number.";
}

if ($_POST['comments'] =='') {
$errors.="<br />You did not specify a question.";
}

if ( !$errors ) {

$url = $HTTP_SERVER_VARS["SERVER_NAME"];
$self = $_SERVER['PHP_SELF'];
$fname = $_POST["fname"];
$sname = $_POST["sname"];
$email = $_POST["email"];
$number = $_POST["number"];
$comments = $_POST["comments"];
$fname = ereg_replace('<',"\\",$fname);
$fname = ereg_replace('>',"\\",$fname);
$fname = ereg_replace('=',"\\",$fname);
$sname = ereg_replace('<',"\\",$sname);
$sname = ereg_replace('>',"\\",$sname);
$sname = ereg_replace('=',"\\",$sname);
$email = ereg_replace('<',"\\",$email);
$email = ereg_replace('>',"\\",$email);
$email = ereg_replace('=',"\\",$email);
$number = ereg_replace('<',"\\",$number);
$number = ereg_replace('>',"\\",$number);
$number = ereg_replace('=',"\\",$number);
$comments = ereg_replace('<',"\\",$comments);
$comments = ereg_replace('>',"\\",$comments);
$comments = ereg_replace('=',"\\",$comments);
$ownemail = "info@somedomain.com";
$subject = "General Enquiry from $url";
$message = "\n******************************************************\n
General Enquiry from $url.\n\n******************************************************\n
From:
$fname $sname\n
Telephone:
$number\n
Enquiry:
$comments\n
Email:
$email\n
******************************************************\n
End of message\n
******************************************************\n\n";
mail($ownemail, $subject, $message, "From: $email");
echo "<br /><font color='#FF0000'><b>Thank you for your submission, please allow 24 hours for a response.</b></font><br />";
}
else 
{
echo "<br /><font color='#FF0000'><b>Your submission failed because:</b>$errors</font><br />";
}

}

echo "<br /><form method=\"post\" action=\"{$_SERVER['PHP_SELF']}\">";
?>
Enter Your forename: <br />
<input type="text" name="fname" size="20" value="<?php echo $_POST['fname']; ?>" /><br /><br />
Enter Your Surname:<br />
<input type="text" name="sname" size="20" value="<?php echo $_POST['sname']; ?>" /><br /><br />
Enter Your Email:<br />
<input type="text" name="email" size="20" value="<?php echo $_POST['email']; ?>" /><br /><br />
Enter Your Telephone Number:<br />
<input type="text" name="number" size="20" value="<?php echo $_POST['number']; ?>" /><br /><br />
Enter The Nature Of Your Enquiry:<br />
<textarea rows="5" name="comments" cols="40"><?php echo $_POST['comments']; ?></textarea><br /><br />

<input type="submit" value="Submit form" name="submit" /><input type="reset" value="Reset form" name="reset" />
</form>

 

 

[JonnoTheDev]

Your validation is a bit lapse and could be worked around quite easily from a 3rd party script.

Have you checked the access logs on the server to see whats happening. Even look at your web stats for a pattern.

 

If this is a contact email form then I would apply a CAPTCHA to it.

[DarkWater]

PHP closes after the HTTP request finishes, so I strongly doubt that a simple HTML form and basic validation (which is a bit shaky, as neil.johnson pointed out) would cause a "permanent server process".

[execute]

Thanks for the replies,

 

I know its probably not the safest of contact forms but i do believe its not the worst, again my knowelege is somewhat limited but i believe i have closed off the script in all the correct places and there are no obvious leaks that could be exploited.

 

My provider turned the website back on this weekend only for it to go back offline again last night, apparently it was hacked and the server process shut it down again, since im running no other scripts apart from the include_once command (including safe html based files), i can only guess the problem lies in this script.

 

If there are any obvious changes you would recommend, please show me how you would achive a better result.

 

Thanks again gents.

 

Steve

[execute]

Thanks for all your help gents, it turned out to be geeklog - blog script, guess its good news it wasnt my script.

 

Thanks again guys.

 

Steve