New Comer (less than 5 posts)
Abuse of a PHP contact script
Hi -
I have had a message today from my hosting company to tell me that one of the sites on my hosting account is having it's php code abused. Apparently someone is manipulating the php code from the contact form to allow them
to add Bcc addresses.
Any ideas on what I need to do to close this loop hole?
Thanks.
Administrator
A good PHP form contact script will have referrer check built in to ensure only authorized domains (ie: your own) is allowed to use the script. Furthermore, the target email(s) to send the form to should always be defined inside the PHP script, not the form that's in the HTML of the page where spammers can easily manipulate. My advise is just to ditch your current contact script and research one that's more secure.
Regular Coders
I don't know much about PHP but I read something about securing against this exact thing the other day.
If you like I'll try to track down the code.
It's bascially something along the lines of an if else statement that checks if the value of the email address has "to:" "cc:" or "bcc" inside it. If it does you echo that it's an invalid email address, else you go ahead with sending the mail.
I hope this helps.
Regular Coders
Found the code:
I hope that helps! Let me know if you have any problems.PHP Code:<?php
function spamcheck($field)
{
//eregi() performs a case insensitive regular expression match
if(eregi("to:",$field) || eregi("cc:",$field) || eregi("bcc:",$field))
{
return TRUE;
}
else
{
return FALSE;
}
}
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==TRUE)
{
echo "Invalid input";
}
else
{
//send email
}
Posting Permissions
Reply With Quote
Bookmarks