Contact Form Hacked
Posted: Tue Feb 13, 2007 8:40 pm
EDIT: This is the new file with the below suggestions implemented. The host of the site still believes this is unsafe. Sorry for being a pain, but is there anything else I can do to make it more secure? You don't have to type out the code if you don't want to, just some keywords would be fine so I can look it up.
Also, the process is on a separate page to the form, if that matters (security wise).
Thanks.
Also, the process is on a separate page to the form, if that matters (security wise).
Thanks.
Code: Select all
if ($name == "") { $name = $_POST["name"]; }
if ($email == "") { $email = $_POST["email"]; }
if ($phone == "") { $phone = $_POST["phone"]; }
if ($fax == "") { $fax = $_POST["fax"]; }
if ($message == "") { $message = $_POST["message"]; }
$error = "";
if ($name == "") { $error .= "<b>You need to enter your <B>Name</B> so we know who to contact<BR>"; }
if ($email == "" && $phone == "") { $error .= "<b>You need to enter a contact method so that we can contact you<BR>"; }
if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) { $error .= "Invalid Email Address<BR>"; }
if ( preg_match("/[\r\n\"\\\\<>]/", $name) ) { $error .= "Invalid Characters in Name Field<BR>";}
if ( preg_match("/[\r\n\"\\\\<>]/", $email) ) { $error .= "Invalid Characters in Email Field<BR>";}
if ( preg_match("/[\r\n\"\\\\<>]/", $phone) ) { $error .= "Invalid Characters in Phone Field<BR>";}
if ( preg_match("/[\r\n\"\\\\<>]/", $fax) ) { $error .= "Invalid Characters in fax Field<BR>";}
if ( preg_match("/[\r\n\"\\\\<>]/", $message) ) { $error .= "Invalid Characters in Message Field<BR>";}
if ($error == "") {
//send email to IND Lending
$name = stripslashes($name);
$email = stripslashes($email);
$phone = stripslashes($phone);
$fax = stripslashes($fax);
$message = stripslashes($message);
$mailtoOBone = "scott@indlending.com.au";
$mailmsg = "--- Below are details submitted via the IND Lending Contact Form ---\n\nName: $name\nEmail Address: $email\nPhone No.: $phone\nFax No.: $fax\n\nEnquiry:\n$message\n\n--- End of Details ---\n";
if ($email == "") {
$email = "no-email-given@indlending.com.au";
$subject = "Contact Form Details - DO NOT REPLY";
} else {
$subject = "Contact Form Details";
}
$from = "From: \"$name\" <$email>";
if (! eregi("^([+_a-z0-9-]+)(\.[+_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $mailtoOBone))
{
$error .= "Contact Form ERROR<BR>";
}
mail($mailtoOBone, $subject, $mailmsg, $from);
}