Jump to content

Archived

This topic is now archived and is closed to further replies.

cinnom

Hardcoding

Recommended Posts

I guess I could be considered a newbie. I taught myself the basics of php and never really took any formal training or purchased any materials on the subject. Everything I know is learned from the web.

Here is my problem:
Someone used a form on a website I created/maintain to send out spam emails. I received a message from the company I "rent" a virtual dedicated server from last week stating that they have stopped all outgoing email for all domains on the server.
I called them (and after much run-around) and they told me that I needed to hard code my php script in the email headers and mail function. Once that is done I can call them and they will allow me to send emails out.
I draw a blank...I have no idea what hard coding is. They did ask if I copied the php code. I said no, I typed it myself. I have learned everything I know through trial and error mostly and from sample forms/scripts posted on various websites.
I was told that anyone can use my form to send out thousands of emails by inputing them in the $ffEmail input tag on my form and also my interjecting more into header using BCC:

The Question:
What is hard coding? How will this help stop the malicious script from sending out spam emails? Is there anything further that I can do to stop this from happening?

Here is the complete php code on my verification page:
[code]<?php
//--**--**--\\--**--**--//
//  Defining Variables  //
//--**--**--\\--**--**--//
$Uposition = $_POST['position'];
$UffName = $_POST['ffName'];
$UffEmail = $_POST['ffEmail'];
$UffPhone = $_POST['ffPhone'];
$Ureferrer = $_POST['referrer'];
$Uqualification = $_POST['qualification'];
$Uformat = $_POST['format'];
$sunshineEmail = "webmaster@sunshinedelivers.com";
?>
<?php
//--**--**--\\--**--**--//
//  Setting Up Fields   //
//--**--**--\\--**--**--//
if ($Uposition)
{$position = "$Uposition";}
else
{$error= "   •Please type a position for employment.<br>\n";}
//--**--**--\\--**--**--//
if ($UffName)
{$ffName = "$UffName";}
else
{$error.= "   •Please type your name so we know who to contact.<br>\n";}
//--**--**--\\--**--**--//
if ($UffEmail)
{$ffEmail = "$UffEmail";}
else
{$error.= "   •Please type your email so we can contact you.<br>\n";}
//--**--**--\\--**--**--//
if ($UffPhone)
{$ffPhone = "$UffPhone";}
else
{$error.= "   •Please type your phone number so we can contact you.<br>\n";}
//--**--**--\\--**--**--//
if ($Ureferrer)
{$referrer = "$Ureferrer";}
else
{$error.= "   •Please help us locate our best advertising source by selecting who referred you to our site.<br>\n";}
//--**--**--\\--**--**--//
if ($Uqualification)
{$qualification = "$Uqualification";}
else
{$error.= "   •Please type your qualifications in the specified area.<br>\n";}
//--**--**--\\--**--**--//
?>
<?php
//--**--**--\\--**--**--//
// Confirmation Message //
//--**--**--\\--**--**--//
$confirmation = "Thank you $ffName for your inquiry.<br><br>
You will receive confirmation email shortly at the following email address: $ffEmail.<br><br>
Please allow at least 48 hours for a response.<br><br>
<br><br>Online Services<br>
Sunshine State Messenger Service, Inc.<br>
1-800-327-8520<br>
<a href=\"http://www.sunshinedelivers.com\">Sunshine Delivers</a>
<br><br><br><br>";
$confirmation.= "
<table>
    <tr>
        <td width=\"180\" class=\"Title\"><div align=\"right\" class=\"Title\">
                <div align=\"right\">Position: </div>
        </div></td>
        <td width=\"364\" class=\"bodyCopy\">$position</td>
    </tr>
    <tr>
        <td width=\"180\" class=\"Title\"><div align=\"right\">Your Name:</div></td>
        <td width=\"364\" class=\"bodyCopy\">$ffName</td>
    </tr>
    <tr>
        <td width=\"180\" class=\"Title\"><div align=\"right\">Email Address: </div></td>
        <td width=\"364\" class=\"bodyCopy\">$ffEmail</td>
    </tr>
    <tr>
        <td width=\"180\" class=\"Title\"><div align=\"right\">Phone Number: </div></td>
        <td width=\"364\" class=\"bodyCopy\">$ffPhone</td>
    </tr>
    <tr>
        <td width=\"180\" class=\"Title\"><div align=\"right\">Referrer:</div></td>
        <td width=\"364\" class=\"bodyCopy\">$referrer</td>
    </tr>
    <tr>
        <td width=\"180\" class=\"Title\"><div align=\"right\">Qualifications:</div></td>
        <td width=\"364\" class=\"bodyCopy\">$qualification</td>
    </tr>
</table>
";
//--**--**--\\--**--**--//
$ffHeader = "MIME-Version: 1.0" . "\r\n";
$ffHeader .= "Content-type: text/html; charset=iso-8859-1" . "\r\n";
$ffHeader .= "From: SunshineDelivers.com <auto-relpy@sunshinedelivers.com>" . "\r\n";
$ffHeader .= "Subject: Employment Inquiry:\"" .$position."" . "\r\n";
//--**--**--\\--**--**--//
$sunshineHeader = "MIME-Version: 1.0" . "\r\n";
$sunshineHeader .= "Content-type: text/html; charset=iso-8859-1" . "\r\n";
$sunshineHeader .= "From: \"" .$ffName."\" <".$ffEmail.">" . "\r\n";
$sunshineHeader .= "Subject: Employment Inquiry\"" .$position."" . "\r\n";
//--**--**--\\--**--**--//
?>
<?php
//--**--**--\\--**--**--//
//    EMAIL MESSAGES    //
//--**--**--\\--**--**--//
if ($Uformat == html)
{
$ffMessage = "
<html>
    <head>
        <title>Baron Credit Application Results</title>
        <link href=\"http://www.sunshinedelivers.com/templates/sunshine.css\" rel=\"stylesheet\" type=\"text/css\">
    </head>
    <body>
        <table>
            <tr>
                <td width=\"180\" class=\"Title\"><div align=\"right\" class=\"Title\">
                        <div align=\"right\">Position: </div>
                </div></td>
                <td width=\"364\" class=\"bodyCopy\">$position</td>
            </tr>
            <tr>
                <td width=\"180\" class=\"Title\"><div align=\"right\">Your Name:</div></td>
                <td width=\"364\" class=\"bodyCopy\">$ffName</td>
            </tr>
            <tr>
                <td width=\"180\" class=\"Title\"><div align=\"right\">Email Address: </div></td>
                <td width=\"364\" class=\"bodyCopy\">$ffEmail</td>
            </tr>
            <tr>
                <td width=\"180\" class=\"Title\"><div align=\"right\">Phone Number: </div></td>
                <td width=\"364\" class=\"bodyCopy\">$ffPhone</td>
            </tr>
            <tr>
                <td width=\"180\" class=\"Title\"><div align=\"right\">Referrer:</div></td>
                <td width=\"364\" class=\"bodyCopy\">$referrer</td>
            </tr>
            <tr>
                <td width=\"180\" class=\"Title\"><div align=\"right\">Qualifications:</div></td>
                <td width=\"364\" class=\"bodyCopy\">$qualification</td>
            </tr>
        </table>
    </body>
</html>";
}
elseif ($Uformat == plainText)
{
$ffMessage = "
Position: $position<br><br>
Name: $ffName<br><br>
Email Address: $ffEmail<br><br>
Phone Number: $ffPhone<br><br>
Referrer: $referrer<br><br>
Qualifications: $qualification<br><br>
";
}
//--**--**--\\--**--**--//
$sunshineMessage = "
Position: $position
Name: $ffName
Email Address: $ffEmail
Phone Number: $ffPhone
Referrer: $referrer
Qualifications: $qualification
";
//--**--**--\\--**--**--//
?><?php
//--**--**--\\--**--**--//
//  Sending the Emails  //
//--**--**--\\--**--**--//
//--**--**--\\--**--**--//
if ($error == "")
{
print"$confirmation";
mail($ffEmail,$position,$ffMessage,$ffHeader);
mail($sunshineEmail,$position,$sunshineMessage,$su  nshineHeader);
}
else
{
print "Please correct the following errors:<br>\n";
print "$error";
}
?> [/code]
They also said that I shouldn't use post variables in the mail function. I don't know any other way to send an email to the person who filled in the form. Transfering the information from one variable to another will not solve the problem...I just don't get it I guess. Every sample form I have ever seen or any tutorial I read has used variables in the mail function.

Could anyone shine some light on the situation?

Share this post


Link to post
Share on other sites
Your hosts don't know what they are talking about when they say you have to hardcode the mail.

What you have to do is validate the contents of any POSTed variable that is being returned from the form and is used to create part of the email header. There are malicious people who have been exploiting PHP mail forms since last summer to (attempt) to send spam. They screen scape your form and then use a program to try to break your form. The fill each field with either an email address or a string that will inject a MIME content-type header and a BCC into your email message.

I've been successfully thwarting these attempts by using the following code:
[code]<?php
    if (isset($_POST))
           foreach($_POST as $k=>$v)
        if (stristr(strtolower($v),'content-type:')) {
//
//   send a tracking email back to your self giving details of the attempt
//
                   exit();
                }
?>[/code]

Ken


Share this post


Link to post
Share on other sites
Thanks so much. I knew that it was impossible to hardcode an email address that varies everytime a new form is filled out and submitted. They finally sent me a script that they require to unlock my outgoing mail server. It is in place and works great actually.

Your script much simpler and easier for me to understand.

Share this post


Link to post
Share on other sites
I saw a post where you where talking about php form spam. Can you explain your code to me a little bit more. I am new to php


<?php
if (isset($_POST))
foreach($_POST as $k=>$v)
if (stristr(strtolower($v),'content-type:')) {
//
// send a tracking email back to your self giving details of the attempt
//
exit();
}
?>




-------- Here is the code I am currently using --------



<?php

$msg = "My Website Online Contact Submission\n";

$msg .= "Name: $name\n";
$msg .= "Comments: $emailAddress\n\n";
$msg .= "Comments: $phone\n\n";
$msg .= "Comments: $message\n\n";


$to = "me@mydomain.com";
$subject = "CONTACT FROM WEBSITE";
$mailheaders = "From: Website Submission Form <$emailAddress>\n";
$mailheaders .= "Reply-To:$Email_Address <$emailAddress>\n\n";
// Mail to address
mail ( $to, $subject, $msg, $mailheaders );

?>

Share this post


Link to post
Share on other sites
This code is looking for the text "content-type:" inside any of the posted variables from your form, if it finds it it is most lightly that someone is trying to spam through your script.

[code]
<?php

if (isset($_POST))
{
foreach($_POST as $k=>$v)
if (stristr(strtolower($v),'content-type:'))
{
// spam attempt detected, mission aborted

exit(); // abort
}
else
{
$msg = "My Website Online Contact Submission\n";

$msg .= "Name: $name\n";
$msg .= "Comments: $emailAddress\n\n";
$msg .= "Comments: $phone\n\n";
$msg .= "Comments: $message\n\n";

$to = "me@mydomain.com";
$subject = "CONTACT FROM WEBSITE";
$mailheaders = "From: Website Submission Form <$emailAddress>\n";
$mailheaders .= "Reply-To:$Email_Address <$emailAddress>\n\n";
// Mail to address
mail ( $to, $subject, $msg, $mailheaders );
}
}

?>
[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.