Jump to content

simple php contact form leaving trailed code


Go to solution Solved by Jacques1,

Recommended Posts

I have used this same php contact form many times and never had this problem. I just checked it in online php code checker and comes up with no errors but when uploaded to the site and I got to test the form it goes to mysite.com/contact.php stuck on trailing code

 

\nReply-To: \"$name\" <$email>\nX-Mailer: chfeedback.php 2.03" ); header( "Location: $thankyouurl" ); exit ; ?>

 

It has me stumped I can't work it out.

 

The full code is:

<?
/*
    CHFEEDBACK.PHP Feedback Form PHP Script Ver 2.03
   

*/

$mailto = 'contact@gmail.com' ;


$subject = "Contact Form" ;


$formurl = "http://www.mysite.com/contact.html" ;
$errorurl = "http://www.mysite.com/error.html" ;
$thankyouurl = "http://www.mysite.com/thanks.html" ;


$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
	header( "Location: $formurl" );
	exit ;
}
if (empty($name) || empty($email) || empty($comments)) {
   header( "Location: $errorurl" );
   exit ;
}
if (get_magic_quotes_gpc()) {
	$comments = stripslashes( $comments );
}

$messageproper =

	"This message was sent from:\n" .
	"$http_referrer\n" .
	"------------------------- COMMENTS -------------------------\n\n" .
	$comments .
	"\n\n------------------------------------------------------------\n" ;

mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\nReply-To: \"$name\" <$email>\nX-Mailer: chfeedback.php 2.03" );
header( "Location: $thankyouurl" );
exit ;

?>

But when I look at the source code in browser I can see all of it is in red except for the last trailing bit which appears in black .

Edited by bmbc

You have opening PHP tags in there for some reason

 

change;

mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\nReply-To: \"$name\" <$email>\nX-Mailer: chfeedback.php 2.03" );
header( "Location: $thankyouurl" );
exit ;

to something like this;

$headers = "From: $email" . "\r\n" .
"Reply-To: $email" . "\r\n" .
'X-Mailer: chfeedback.php 2.03';

mail($mailto, $subject, $messageproper, $headers);
header( "Location: $thankyouurl" );
exit;
  • Solution

The script allows anybody to use your server as a spam relay. By injecting a BCC header, an attacker can send the e-mail to arbitrary accounts.

 

You may have been lucky so far, but bots regularly scan websites for vulnerabilities like this. And once they find you, your server will quickly be blacklisted, which means you won't be able to send any mails -- your hoster also won't be happy about it.

 

Do not use random scripts you found somewhere on the Internet. You wouldn't download and run arbitrary .exe files on your PC, right? Then why do you download and run arbitrary PHP scripts? That stuff is at least 10 years old, and there's absolutely no reason to believe that it's credible. As we've just found out, it's not.

 

If you want to send e-mails, use an established library like PHPMailer. This will take care of the technical details and make sure you don't end up flooding innocent people with spam. Do not use the mail() function unless you have deep knowledge about the underlying mechanisms and a very good reason why you need low-level access to the raw SMTP message.

Thanks, yes I didn't think it through because I don't obviously write php so I have been using the same script for a long time but actually not for a few years since using cms, then coming back to it was a mistake. I think I will try swiftmailer on my linux server.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.