Jump to content


Photo

Hardcoding


  • Please log in to reply
4 replies to this topic

#1 cinnom

cinnom
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 09 February 2006 - 07:52 PM

I guess I could be considered a newbie. I taught myself the basics of php and never really took any formal training or purchased any materials on the subject. Everything I know is learned from the web.

Here is my problem:
Someone used a form on a website I created/maintain to send out spam emails. I received a message from the company I "rent" a virtual dedicated server from last week stating that they have stopped all outgoing email for all domains on the server.
I called them (and after much run-around) and they told me that I needed to hard code my php script in the email headers and mail function. Once that is done I can call them and they will allow me to send emails out.
I draw a blank...I have no idea what hard coding is. They did ask if I copied the php code. I said no, I typed it myself. I have learned everything I know through trial and error mostly and from sample forms/scripts posted on various websites.
I was told that anyone can use my form to send out thousands of emails by inputing them in the $ffEmail input tag on my form and also my interjecting more into header using BCC:

The Question:
What is hard coding? How will this help stop the malicious script from sending out spam emails? Is there anything further that I can do to stop this from happening?

Here is the complete php code on my verification page:
<?php 
//--**--**--\\--**--**--// 
//  Defining Variables  // 
//--**--**--\\--**--**--// 
$Uposition = $_POST['position']; 
$UffName = $_POST['ffName']; 
$UffEmail = $_POST['ffEmail']; 
$UffPhone = $_POST['ffPhone']; 
$Ureferrer = $_POST['referrer']; 
$Uqualification = $_POST['qualification']; 
$Uformat = $_POST['format']; 
$sunshineEmail = "webmaster@sunshinedelivers.com"; 
?> 
<?php 
//--**--**--\\--**--**--// 
//  Setting Up Fields   // 
//--**--**--\\--**--**--// 
if ($Uposition) 
{$position = "$Uposition";} 
else 
{$error= "   •Please type a position for employment.<br>\n";} 
//--**--**--\\--**--**--// 
if ($UffName) 
{$ffName = "$UffName";} 
else 
{$error.= "   •Please type your name so we know who to contact.<br>\n";} 
//--**--**--\\--**--**--// 
if ($UffEmail) 
{$ffEmail = "$UffEmail";} 
else 
{$error.= "   •Please type your email so we can contact you.<br>\n";} 
//--**--**--\\--**--**--// 
if ($UffPhone) 
{$ffPhone = "$UffPhone";} 
else 
{$error.= "   •Please type your phone number so we can contact you.<br>\n";} 
//--**--**--\\--**--**--// 
if ($Ureferrer) 
{$referrer = "$Ureferrer";} 
else 
{$error.= "   •Please help us locate our best advertising source by selecting who referred you to our site.<br>\n";} 
//--**--**--\\--**--**--// 
if ($Uqualification) 
{$qualification = "$Uqualification";} 
else 
{$error.= "   •Please type your qualifications in the specified area.<br>\n";} 
//--**--**--\\--**--**--// 
?> 
<?php 
//--**--**--\\--**--**--// 
// Confirmation Message // 
//--**--**--\\--**--**--// 
$confirmation = "Thank you $ffName for your inquiry.<br><br> 
You will receive confirmation email shortly at the following email address: $ffEmail.<br><br> 
Please allow at least 48 hours for a response.<br><br> 
<br><br>Online Services<br> 
Sunshine State Messenger Service, Inc.<br> 
1-800-327-8520<br> 
<a href=\"http://www.sunshinedelivers.com\">Sunshine Delivers</a> 
<br><br><br><br>"; 
$confirmation.= " 
 <table> 
    <tr> 
        <td width=\"180\" class=\"Title\"><div align=\"right\" class=\"Title\"> 
                <div align=\"right\">Position: </div> 
        </div></td> 
        <td width=\"364\" class=\"bodyCopy\">$position</td> 
    </tr> 
    <tr> 
        <td width=\"180\" class=\"Title\"><div align=\"right\">Your Name:</div></td> 
        <td width=\"364\" class=\"bodyCopy\">$ffName</td> 
    </tr> 
    <tr> 
        <td width=\"180\" class=\"Title\"><div align=\"right\">Email Address: </div></td> 
        <td width=\"364\" class=\"bodyCopy\">$ffEmail</td> 
    </tr> 
    <tr> 
        <td width=\"180\" class=\"Title\"><div align=\"right\">Phone Number: </div></td> 
        <td width=\"364\" class=\"bodyCopy\">$ffPhone</td> 
    </tr> 
    <tr> 
        <td width=\"180\" class=\"Title\"><div align=\"right\">Referrer:</div></td> 
        <td width=\"364\" class=\"bodyCopy\">$referrer</td> 
    </tr> 
    <tr> 
        <td width=\"180\" class=\"Title\"><div align=\"right\">Qualifications:</div></td> 
        <td width=\"364\" class=\"bodyCopy\">$qualification</td> 
    </tr> 
</table> 
"; 
//--**--**--\\--**--**--// 
$ffHeader = "MIME-Version: 1.0" . "\r\n"; 
$ffHeader .= "Content-type: text/html; charset=iso-8859-1" . "\r\n"; 
$ffHeader .= "From: SunshineDelivers.com <auto-relpy@sunshinedelivers.com>" . "\r\n"; 
$ffHeader .= "Subject: Employment Inquiry:\"" .$position."" . "\r\n"; 
//--**--**--\\--**--**--// 
$sunshineHeader = "MIME-Version: 1.0" . "\r\n"; 
$sunshineHeader .= "Content-type: text/html; charset=iso-8859-1" . "\r\n"; 
$sunshineHeader .= "From: \"" .$ffName."\" <".$ffEmail.">" . "\r\n"; 
$sunshineHeader .= "Subject: Employment Inquiry\"" .$position."" . "\r\n"; 
//--**--**--\\--**--**--// 
?> 
<?php 
//--**--**--\\--**--**--// 
//    EMAIL MESSAGES    // 
//--**--**--\\--**--**--// 
if ($Uformat == html) 
{ 
$ffMessage = " 
<html> 
    <head> 
        <title>Baron Credit Application Results</title> 
        <link href=\"http://www.sunshinedelivers.com/templates/sunshine.css\" rel=\"stylesheet\" type=\"text/css\"> 
    </head> 
    <body> 
        <table> 
            <tr> 
                <td width=\"180\" class=\"Title\"><div align=\"right\" class=\"Title\"> 
                        <div align=\"right\">Position: </div> 
                </div></td> 
                <td width=\"364\" class=\"bodyCopy\">$position</td> 
            </tr> 
            <tr> 
                <td width=\"180\" class=\"Title\"><div align=\"right\">Your Name:</div></td> 
                <td width=\"364\" class=\"bodyCopy\">$ffName</td> 
            </tr> 
            <tr> 
                <td width=\"180\" class=\"Title\"><div align=\"right\">Email Address: </div></td> 
                <td width=\"364\" class=\"bodyCopy\">$ffEmail</td> 
            </tr> 
            <tr> 
                <td width=\"180\" class=\"Title\"><div align=\"right\">Phone Number: </div></td> 
                <td width=\"364\" class=\"bodyCopy\">$ffPhone</td> 
            </tr> 
            <tr> 
                <td width=\"180\" class=\"Title\"><div align=\"right\">Referrer:</div></td> 
                <td width=\"364\" class=\"bodyCopy\">$referrer</td> 
            </tr> 
            <tr> 
                <td width=\"180\" class=\"Title\"><div align=\"right\">Qualifications:</div></td> 
                <td width=\"364\" class=\"bodyCopy\">$qualification</td> 
            </tr> 
        </table> 
    </body> 
</html>"; 
} 
elseif ($Uformat == plainText) 
{ 
$ffMessage = " 
Position: $position<br><br> 
Name: $ffName<br><br> 
Email Address: $ffEmail<br><br> 
Phone Number: $ffPhone<br><br> 
Referrer: $referrer<br><br> 
Qualifications: $qualification<br><br> 
"; 
} 
//--**--**--\\--**--**--// 
$sunshineMessage = " 
Position: $position 
Name: $ffName 
Email Address: $ffEmail 
Phone Number: $ffPhone 
Referrer: $referrer 
Qualifications: $qualification 
"; 
//--**--**--\\--**--**--// 
?><?php 
//--**--**--\\--**--**--// 
//  Sending the Emails  // 
//--**--**--\\--**--**--// 
//--**--**--\\--**--**--// 
if ($error == "") 
{ 
print"$confirmation"; 
mail($ffEmail,$position,$ffMessage,$ffHeader); 
mail($sunshineEmail,$position,$sunshineMessage,$su  nshineHeader); 
} 
else 
{ 
print "Please correct the following errors:<br>\n"; 
print "$error"; 
} 
?>
They also said that I shouldn't use post variables in the mail function. I don't know any other way to send an email to the person who filled in the form. Transfering the information from one variable to another will not solve the problem...I just don't get it I guess. Every sample form I have ever seen or any tutorial I read has used variables in the mail function.

Could anyone shine some light on the situation?

#2 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 09 February 2006 - 09:04 PM

Your hosts don't know what they are talking about when they say you have to hardcode the mail.

What you have to do is validate the contents of any POSTed variable that is being returned from the form and is used to create part of the email header. There are malicious people who have been exploiting PHP mail forms since last summer to (attempt) to send spam. They screen scape your form and then use a program to try to break your form. The fill each field with either an email address or a string that will inject a MIME content-type header and a BCC into your email message.

I've been successfully thwarting these attempts by using the following code:
<?php
    if (isset($_POST)) 
           foreach($_POST as $k=>$v)
        if (stristr(strtolower($v),'content-type:')) {
//
//   send a tracking email back to your self giving details of the attempt
//
                   exit();
                }
?>

Ken




#3 cinnom

cinnom
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 10 February 2006 - 04:51 PM

Thanks so much. I knew that it was impossible to hardcode an email address that varies everytime a new form is filled out and submitted. They finally sent me a script that they require to unlock my outgoing mail server. It is in place and works great actually.

Your script much simpler and easier for me to understand.

#4 redgtsviper

redgtsviper
  • Members
  • PipPip
  • Member
  • 19 posts

Posted 26 February 2006 - 04:23 PM

I saw a post where you where talking about php form spam. Can you explain your code to me a little bit more. I am new to php


<?php
if (isset($_POST))
foreach($_POST as $k=>$v)
if (stristr(strtolower($v),'content-type:')) {
//
// send a tracking email back to your self giving details of the attempt
//
exit();
}
?>




-------- Here is the code I am currently using --------



<?php

$msg = "My Website Online Contact Submission\n";

$msg .= "Name: $name\n";
$msg .= "Comments: $emailAddress\n\n";
$msg .= "Comments: $phone\n\n";
$msg .= "Comments: $message\n\n";


$to = "me@mydomain.com";
$subject = "CONTACT FROM WEBSITE";
$mailheaders = "From: Website Submission Form <$emailAddress>\n";
$mailheaders .= "Reply-To:$Email_Address <$emailAddress>\n\n";
// Mail to address
mail ( $to, $subject, $msg, $mailheaders );

?>

#5 alpine

alpine
  • Members
  • PipPipPip
  • Advanced Member
  • 756 posts
  • LocationNorway

Posted 28 March 2006 - 07:08 AM

This code is looking for the text "content-type:" inside any of the posted variables from your form, if it finds it it is most lightly that someone is trying to spam through your script.

<?php

if (isset($_POST))
{
foreach($_POST as $k=>$v)
if (stristr(strtolower($v),'content-type:')) 
{
// spam attempt detected, mission aborted

exit(); // abort
}
else
{
$msg = "My Website Online Contact Submission\n";

$msg .= "Name: $name\n";
$msg .= "Comments: $emailAddress\n\n";
$msg .= "Comments: $phone\n\n";
$msg .= "Comments: $message\n\n";

$to = "me@mydomain.com";
$subject = "CONTACT FROM WEBSITE";
$mailheaders = "From: Website Submission Form <$emailAddress>\n";
$mailheaders .= "Reply-To:$Email_Address <$emailAddress>\n\n";
// Mail to address
mail ( $to, $subject, $msg, $mailheaders );
}
}

?>





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users