nikneven Posted May 22, 2009 Author Share Posted May 22, 2009 We contacted our host as well (1and1) and that was basically what they told us. As in: "Well, if there is an issue in your site, it must be that someone has your password. You might want to change it", which, I gotta tell ya, was not exactly a helpful answer. Here is what I have changed the contact form to: <?php // send a notification email that someone clicked submit. $today = date("F j, Y, g:i a"); $ip=$_SERVER['REMOTE_ADDR']; $bodyNotify = ""; $bodyNotify .= "Someone has clicked the submit button on Giraffe Inc. Please check for injection attacks"; $bodyNotify .= "\n"; $bodyNotify .= "\n"; $bodyNotify .= "The submit button was pressed at: "; $bodyNotify .= "\n"; $bodyNotify .= $today; $bodyNotify .= "\n"; $bodyNotify .= "\n"; $bodyNotify .= "From the following IP:"; $bodyNotify .= "\n"; $bodyNotify .= $ip; $headerNotify = "From: Giraffe Mail Notifier"; mail("[email protected]","Giraffe Mail Form Notifier",$bodyNotify,$headerNotify); // get posted data into local variables function check_input($data) { $data=strip_tags('allowed tags',$data); $data = trim($data); //trim whitespace $data = stripslashes($data); //trim backslashes $data = htmlspecialchars($data,ENT_NOQUOTES); //escaping XSS in PHP 5// $data= filter_var($data,FILTER_SANITIZE_STRING); //works in php5 //////////////////////////////////////////////////////////////////////////////// $data= mysql_real_escape_string($data); // escape SQL injection return $data; } $EmailFrom = check_input($_POST['EmailFrom']); $EmailTo = "[email protected]"; $Subject = "~ New Contact from GiraffeInc.com: "; $Subject .= $EmailFrom; $Subject .= " ~"; $FullName = check_input($_POST['FullName']); $Contact = check_input($_POST['checkbox']); $Tel = check_input($_POST['Tel']); $Company = check_input($_POST['Company']); $Message = check_input($_POST['Message']); $headers = "From: \"".$FullName."\" <".$EmailFrom.">"; $headers .= "Return-Path: <".$EmailFrom.">"; $headers .= "\n"; // validation $validationOK=true; if ($EmailFrom=="") $validationOK=false; if ($FullName=="") $validationOK=false; if ($Message=="") $validationOK=false; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=../index.php?content=validate&cbg=1\">"; exit; } if (!preg_match("/^[-_a-z0-9\'+*$^&%=~!?{}]++(?:\.[-_a-z0-9\'+*$^&%=~!?{}]+)*+@(??![-.])[-a-z0-9.]+(?<![-.])\.[a-z]{2,6}|\d{1,3}(?:\.\d{1,3}){3})(?::\d++)?$/iD",$EmailFrom)) { print "<meta http-equiv=\"refresh\" content=\"0;URL=../index.php?content=validate&cbg=1\">"; exit; } // prepare email body text $Body = ""; $Body .= "You have message from "; $Body .= $FullName; $Body .= " at "; $Body .= $EmailFrom; $Body .= "\n"; $Body .= "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"; $Body .= "\n"; $Body .= "\n"; $Body .= "Name: "; $Body .= $FullName; $Body .= "\n"; $Body .= "Should we contact you? "; $Body .= $Contact; $Body .= "\n"; $Body .= "Phone Number: "; $Body .= $Tel; $Body .= "\n"; $Body .= "Company: "; $Body .= $Company; $Body .= "\n"; $Body .= "Message: "; $Body .= $Message; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Body, $headers); // redirect to success page if ($success){ print "<meta http-equiv=\"refresh\" content=\"0;URL=../index.php?content=ok&cbg=1\">"; } else{ print "<meta http-equiv=\"refresh\" content=\"0;URL=../index.php?content=error&cbg=1\">"; } ?> Now, does this look secure? Are their errors in the beginning php in the index file? Are me switches and if statements good? Have I missed any security on the site as a whole? And, well, this is embarrassing, how the heck do I edit my posts? I really cant figure it out, and its making me feel remarkably dense. Edit: except now I see the edit button. Is it a post count thing? Link to comment https://forums.phpfreaks.com/topic/158943-php-injection-attack/page/2/#findComment-839561 Share on other sites More sharing options...
PerfecTiion Posted May 22, 2009 Share Posted May 22, 2009 Try: <?php function check_input($data) { //escaping XSS in PHP 5// $data= filter_var($data,FILTER_SANITIZE_STRING); //works in php5 //////////////////////////////////////////////////////////////////////////////// $data= mysql_real_escape_string($data); // escape SQL injection return $data; }?> would these be needed if i have php >5.2 $data=strip_tags('allowed tags',$data); $data = trim($data); //trim whitespace $data = stripslashes($data); //trim backslashes $data = htmlspecialchars($data,ENT_NOQUOTES); Would just using the above 2 (in quotes) be sufficiant ? Link to comment https://forums.phpfreaks.com/topic/158943-php-injection-attack/page/2/#findComment-839720 Share on other sites More sharing options...
adams0423 Posted May 26, 2009 Share Posted May 26, 2009 GoDaddy essentially told me that they believed that someone else had used my password to log into my account and insert this virus. Here is the part that amazed me: When I had re-uploaded all pages associated with this account I contacted GoDaddy and asked if they could scan my directory for any other signs of virus activity. They said they could not, but that Google Webmaster Tools could. I asked them how to make that happen (since I'd never noticed this feature) and they said that they couldn't support 3rd party tools like Google Webmaster Tools(!) Is there a reason that a host wouldn't (or couldn't) scan a directory for viruses, especially one that was known to carry them? Link to comment https://forums.phpfreaks.com/topic/158943-php-injection-attack/page/2/#findComment-842206 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.