Code: Select all
<form action="" method="get">
<input type="text" name="Name" size="24"><input type="text" name="rating" size="24"><input type="submit" name="submitButtonName">
</form>Moderator: General Moderators
Code: Select all
<form action="" method="get">
<input type="text" name="Name" size="24"><input type="text" name="rating" size="24"><input type="submit" name="submitButtonName">
</form>Code: Select all
if (isset($_GET['submitButtonName'])){
$name=$_GET['Name'];
$rating=$_GET['rating'];
$email= ''; // add your email here
$body=<<<BODY
Hello,
$name has submitted a rating of $rating at your site
BODY;
mail ($email, 'You Have Mail!', $body);Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
I used the following code to my site and it was hacked by somebody and was sending 1000s of email.
[syntax="php"]$name="firstname";
$email="user email";
$header="From:$name<$email>\n";
$header .= "Reply-To: $email\n";
$header .= "X-Mailer: PHP/" . phpversion(). "\n";
$header .= "X-Sender-IP: $REMOTE_ADDR\n";
$msg="Message here";
$subject="Subject Here";
mail('support@host.com',$subject,$msg,$header);Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
The vulnerability is in any of the users entered input. Basically anyone can add headers by using \r\n. Each header in an email is separated by \r\n or %0A so if they enter an email address, followed by \r\n they add more bcc: cc: addresses and their spam message gets sent piggy back style.
There are a number of ways to protect yourself....
One is to limit the length of the email field to a reasonable length.
More important is a ereg to check for valid email address. [url]http://www.ilovejackdaniels.com/php/email-address-validation/[/url] shows how excellently. His solution is good. Others on google are out of date as domains evolve like.eu, .info etc
And you can do a str_replace to get rid of unwanted nasties like \r\n, bcc:, cc: etc. I also use the code below to clear rude words from messages people enter.... It replaces naughty bits with a #
All input should be filtered, that could end up as part of a mail() call.Code: Select all
$naughtybits=array('\\','+',';','\n','\r','%0A','Content-Type:','MIME-Version:','Content-Transfer-Encoding:','bcc:','cc:','rude words etc');
$email=str_replace($naughtybits,'#',$email);Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]Code: Select all
<form action="mail.php" method="get">
<input type="text" name="Name" size="24"><input type="text" name="rating" size="24"><input type="submit" name="submitButtonName">
</form>Code: Select all
<?php
if (isset($_GET['submitButtonName'])){
$name=$_GET['Name'];
$rating=$_GET['rating'];
$email= 'junk4owen@hotmail.com'; // add your email here
$body=<<<BODY
Hello,
$name has submitted a rating of $rating at your site
BODY;
mail ($email, 'You Have Mail!', $body);
echo "email sent to $email with contents: $body";
}
?>As for avoiding injection, we've had a discussion on it: viewtopic.php?t=44097Roja wrote:Thats why I generally link to the ValidateEmail function.