Page 1 of 1

PHP Email Security

Posted: Sun Feb 19, 2006 8:29 am
by slabadie
feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


I recently rec'd a message from my hosting company saying that they disabled one of my clients email accounts because they were getting hammered with incomming SPAM. Also they had to rename the comments.php page because the code had security holes allowing Spam to be sent through the page.  I am new to PHP and am not sure what to do at this point.  It was suggested by them that I use ASPEmail instead.  Any help would be greatly appreicated.  Below is how my page is coded:

Code: Select all

<?php
if (($_POST['name'] == "") || ($_POST['email'] == "") || ($_POST['comments'] == "")) {
		header("Location: comments.htm");
		exit;
}
$msg = "E-MAIL SENT FROM FDNY COMMENT SECTION\n";
$msg .= "Name:  ".$_POST['name']."\n";	
$msg .= "E-Mail:  ".$_POST['email']."\n";
$msg .= "Comments:  ".$_POST['comments']."\n";
$to = "ravenwax@ptd.net";
$subject = "Web Site Feedback";
$mailheaders = "From: Whatever Wesite <http://www.whatever.com>\n";
$mailheaders .= "Reply-To: ".$_POST['email']."\n";
mail ($to, $subject, $msg, $mailheaders);
?>

Code: Select all

<?php 
echo $_POST['name']; 
?>
<p><strong>E-Mail Address:</strong>
<?php 
echo $_POST['email']; 
?>
<p><strong>Comments:</strong><br>
<?php 
echo $_POST['comments']; 
?>

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Sun Feb 19, 2006 9:10 am
by feyd
without filtering of the posted information, yes you have massive security holes.

A recent topic with the same issues: viewtopic.php?t=44097