Jump to content

HELP:: need help stopping PHP mail INJECTIONS

pauld_82

By pauld_82
in PHP Coding Help

 Share

Recommended Posts

pauld_82 Newbie

pauld_82

Posted
Posted
Hi guys,

The other day I was hacked by a 'Injection Bot' on my webserver.

Now I'm receiving about 1000 emails of 'mail subsystem returns' every day from 'aol.com'

Can anyone help me make my PHP mail file more secure?

[code]<?php
//block spam security script
foreach( $_POST as $value ){
      if(strpos($value,'Content-Type:') !== FALSE ){
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']);
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt");
      }
    }
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: $_POST[email]";
//send the mail
mail($recipient, $subject, $msg, $mailheaders);

$URL="http://www.mysite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting My Site</title>
<head></head>
<body>
</body>
</html>    [/code]
wickning1 Newbie

wickning1

Posted
Posted
Validate $_POST['email'] to make sure it is a single, valid email address (instead of an injection attack, probably containing thousands of email addresses).

This isn't the greatest around but it will work for your purpose. You can look around for a better solution.

[code]function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
[/code]
pauld_82 Newbie

pauld_82

Posted
  • Author
Posted
Hi wickning1

Thanks for your reply, much appreciated!

Do I add this code to the top of my exisiting PHP file?

OR

Do I have to call it somehow?

Here is my new code (it works so I'm hoping that the SPAM stops, comes every 24hours so I will keep you posted I guess, can you tell from looking at the script whether it will work?)

[code]
<?php
//block spam security script
foreach( $_POST as $value ){
      if(strpos($value,'Content-Type:') !== FALSE ){
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']);
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt");
      }
    }
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The my Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: ".addslashes($_POST['email']);
//check the email
function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
//send the mail
mail($recipient, $subject, $msg, $mailheaders);
//redirect page
$URL="http://www.mysite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting mysite</title>
<head></head>
<body>
</body>
</html>    [/code]
pauld_82 Newbie

pauld_82

Posted
  • Author
Posted
Ok so will this work?

[code]<?php
// start the god damn session
session_start(); // starts the session. Must be at the start of the page
if ($_SESSION[submitted] == 3){ // put whatever number you want here
redirect to error page (use meta-refresh)}
else{
$_SESSION[submitted] = $_SESSION[submitted] + 1; //increment the submit counter
}
//block spam security script
foreach( $_POST as $value ){
      if(strpos($value,'Content-Type:') !== FALSE ){
        mail('webmaster@scriptsforyou.net','Spammer Bot Attempt on form.php',$_SERVER['REMOTE_ADDR']);
         exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded. Spam bot attempt");
      }
    }
//start building the mail string
$msg = "<p><strong>First Name:</strong> $_POST[firstname]</p>";
$msg .= "<p><strong>Surname:</strong> $_POST[surname]</p>";
$msg .= "<p><strong>Phone:</strong> $_POST[phone]</p>";
$msg .= "<p><strong>E-Mail:</strong> $_POST[email]</p>";
$msg .= "<p><strong>Enquiry Type:</strong> $_POST[enquirytype]</p>";
$msg .= "<p><strong>Message:</strong> $_POST[enquiry]</p>";
$msg .= "<p><strong>Where did you find us?</strong> $_POST[findus]</p>";
//error checking
if (!checkemail($_GET[email])){
$error_msg = "error";
}else if(empty($_GET[firstname])){
$error_msg = "error";
}else if(empty($_GET[surname])){
$error_msg = "error";
}else if(empty($_GET[email])){
$error_msg = "error";
}else if(empty($_GET[enquirytype])){
$error_msg = "error";
}else if(empty($_GET[enquiry])){
$error_msg = "error";
}else if(empty($_GET[findus])){
$error_msg = "error";
}
//error checking
if (!empty($error_msg)){
then it means there is an error in the form
take them back to the form with the error message displayed.
}
//set up the mail
$recipient = "me@mysite.com.au";
$subject = "Contact Form Submission Results";
$mailheaders = "MIME-Version: 1.0\r\n";
$mailheaders .= "Content-type: text/html; charset=ISO-8859-1\r\n";
$mailheaders .= "From: The Web Site <me@mysite.com.au> \n";
$mailheaders .= "Reply-To: ".addslashes($_POST['email']);
//check the email
function  checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
  return false;
}
return true;
}
//send the mail
mail($recipient, $subject, $msg, $mailheaders);
//redirect page
$URL="http://www.thesite.com.au/contactus_thanks.html";
header ("Location: $URL");
?>
<html>
<title>Thanks for contacting the website</title>
<head></head>
<body>
</body>
</html>[/code]
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.