Contact Form Hacked

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Contact Form Hacked

Post by iknownothing »

EDIT: This is the new file with the below suggestions implemented. The host of the site still believes this is unsafe. Sorry for being a pain, but is there anything else I can do to make it more secure? You don't have to type out the code if you don't want to, just some keywords would be fine so I can look it up.

Also, the process is on a separate page to the form, if that matters (security wise).

Thanks.


Code: Select all

if ($name == "") { $name = $_POST["name"]; }
if ($email == "") { $email = $_POST["email"]; }
if ($phone == "") { $phone = $_POST["phone"]; }
if ($fax == "") { $fax = $_POST["fax"]; }
if ($message == "") { $message = $_POST["message"]; }



  $error = "";
  if ($name == "") { $error .= "<b>You need to enter your <B>Name</B> so we know who to contact<BR>"; }
  if ($email == "" && $phone == "") { $error .= "<b>You need to enter a contact method so that we can contact you<BR>"; }
  if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) { $error .= "Invalid Email Address<BR>"; }
  if ( preg_match("/[\r\n\"\\\\<>]/", $name) ) { $error .= "Invalid Characters in Name Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $email) ) { $error .= "Invalid Characters in Email Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $phone) ) { $error .= "Invalid Characters in Phone Field<BR>";} 
  if ( preg_match("/[\r\n\"\\\\<>]/", $fax) ) { $error .= "Invalid Characters in fax Field<BR>";}
  if ( preg_match("/[\r\n\"\\\\<>]/", $message) ) { $error .= "Invalid Characters in Message Field<BR>";}
  
  if ($error == "") {
    //send email to IND Lending
    $name = stripslashes($name);
    $email = stripslashes($email);
    $phone = stripslashes($phone);
    $fax = stripslashes($fax);
    $message = stripslashes($message);

    $mailtoOBone = "scott@indlending.com.au";
    $mailmsg = "--- Below are details submitted via the IND Lending Contact Form ---\n\nName: $name\nEmail Address: $email\nPhone No.: $phone\nFax No.: $fax\n\nEnquiry:\n$message\n\n--- End of Details ---\n";
    if ($email == "") {
      $email = "no-email-given@indlending.com.au";
      $subject = "Contact Form Details - DO NOT REPLY";
    } else {
      $subject = "Contact Form Details";
    }
    
    $from = "From: \"$name\" <$email>";

    if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $mailtoOBone)) 
{ 
   $error .= "Contact Form ERROR<BR>"; 
}
    
    mail($mailtoOBone, $subject, $mailmsg, $from);

  }
Last edited by iknownothing on Thu Feb 15, 2007 6:57 pm, edited 1 time in total.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

At least perform a rudimentary check on $name and $email
e.g.

Code: Select all

if ($email == "" && $phone == "") { $error .= "<b>You need to enter a contact method so that we can contact you.<BR />"; }
if ( preg_match("/[\r\n\"\\\\<>]/", $name) ) $error .= "<div>invalid character in parameter 'name'</div>\n";
if ( preg_match("/[\r\n\"\\\\<>]/", $email) ) $error .= "<div>invalid character in parameter 'email'</div>\n";

if ($error == "") {
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

but how would that send emails to other people, the $mailto variable is the address to be sent to, which is hardcoded in...

would it help if I changed the $mailto variable name to something a bit more hard to guess ie. $youllneverguessmymailtovariablename ?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

because headers can be injected, which is what volka demonstrated
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You might want to use the RFC compliant email address regex that we've had posted quite often. Search for "validateEmailFormat"
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

edited first post. Thanks.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

The host of the site still believes this is unsafe.
Rather than taking wild stabs in the dark at what might make it more secure, why not ask the host why they think it's not secure? Then you'll have an actual problem that you can address.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

An issue I see clients usually have with the "security" of their form is spam. Spammers use forms to spam people using other's bandwidth so firstly, you validate headers to stop spammers from using your client's bandwidth to spam others, and validate any text they send to ensure that there is no HTML inserted. This stops spammers from spamming your client's email.

And explain to them what you've prevented. If you sound like you know what your doing, they assume that you do.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The email regex still is not RFC compliant.
User avatar
iknownothing
Forum Contributor
Posts: 337
Joined: Sun Dec 17, 2006 11:53 pm
Location: Sunshine Coast, Australia

Post by iknownothing »

feyd wrote:The email regex still is not RFC compliant.
really, I must have used the wrong one from another topic, I assumed the one down the very bottom of a topic would have been correct.
Post Reply