Jump to content

Help, my form script has been hacked

ethoemmes

By ethoemmes
in PHP Coding Help

 Share

Recommended Posts

ethoemmes Newbie

ethoemmes

Posted
Posted
Hi,

I have used the following script for about a year now but yesterday I started receiving a lot of emails in my email box (looks like someone has hacked this script to send spam)

Can anyone spot any improvements I could make to it? It is called from the following page

http://rrbltd.co.uk/contact.htm

Thanks

E

[code]
  <?php
  session_start();
  header("Cache-control: private");
 
  $Title = $_POST['Title'];
  $FirstName = $_POST['FirstName'];
  $LastName = $_POST['LastName'];
  $Email = $_POST['Email'];
  $Comments = $_POST['Comments'];
  $AddToML = $_POST['AddToML'];
 
  $_SESSION['Title'] = $Title;
  $_SESSION['FirstName'] = $FirstName;
  $_SESSION['LastName'] = $LastName;
  $_SESSION['Email'] = $Email;
 
  $strMailTo = 'Info@rrbltd.com';
  $strSubject = 'Enquiry from Website';
  $strBody = "$Comments \n
  Received from \n
  $Title $FirstName $LastName \n
  $Email";
 
  if (empty($FirstName) || empty($LastName) || empty($Email)) {
      header( "Location: form_error.php" );
    }
  else {
 
  $From = "From: \"$FirstName $LastName\" <$Email>\nX-Mailer: PHP/" . phpversion();
 
  mail ($strMailTo, $strSubject, $strBody, $From);
 
  if (isset($_POST['AddToML'])) {
 
  header( "Location: http://www.rrbltd.com/registration_form.htm" );
  }
  else {
  header( "Location: http://www.rrbltd.com/contact_thanks.htm");
  }
  }
  ?>
[/code]
Link to comment
Share on other sites
ronverdonk Newbie

ronverdonk

Posted
Posted
I am sorry for anyone reading this, but I don't want to cause more trouble for you or let anyone in on my tests and findings, so I have sent a separate email with the full text.

Well, where to start? I tried your site and I could ........ (in separate email)

To start with, you should filter ALL input from outside. ....... (in separate email)

I also could enter ......

Also the likeable content and length of input fields: ......

To sum it up: don't trust ANY input from outside and filter and validate all input and be aware of people who like to spend time to figure out how your email application works, so they can inject pieces of code to find that out.

Then prevent double and more submissions of the same form. Robots tend to do that. Ar least verify that anyone who wants to submit is a real person and not a robot. So use a CAPTCHA for verification!
There are plenty captcha samples around on the web, otherwise ask for it in this forum.

Good luck

Ronald   8)
Link to comment
Share on other sites
kenrbnsn Regular Member

kenrbnsn

Posted
Posted
You should post you're findings here as an example of what can happen with unsecured email scripts. How the spammers are doing this has been public knowledge for at least a year. They hit my sites a year ago in one of the first wave of spam attempts. They are still hitting my sites, but they aren't succeeding.

BTW, don't bother putting out any error messages when you get hit, the hits are usually being done via spambot programs and they don't care about errors.

Ken
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.