Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Hello.
I have a contact form that gets sent to a php mailing script. I keep getting emails that are obvious hijackings of the script. I do not host the site myself, but rather have a hosting service, Doteasy.com. So, not so much can be done on the server side. In the email example i included below, there is only one bcc, but in some, there are dozens. I was wondering if some suggestions as to what the best practice is to protect something like this might be, and where to find it.
TIA
Mark
Script:Code: Select all
<?php
// Website Contact Form Generator
// http://www.tele-pro.co.uk/scripts/contact_form/
// This script is free to use as long as you
// retain the credit link
// get posted data into local variables
$EmailFrom = Trim($_POST[EmailFrom]);
$EmailTo = Trim($_POST[EmailTo]);
$Subject = Trim($_POST[Subject]);
$FirstName = Trim($_POST[FirstName]);
$LastName = Trim($_POST[LastName]);
$Address01 = Trim($_POST[Address01]);
$Address02 = Trim($_POST[Address02]);
$City = Trim($_POST[City]);
$State = Trim($_POST[State]);
$PostCode = Trim($_POST[PostCode]);
$Province = Trim($_POST[Province]);
$Country = Trim($_POST[Country]);
$Tel = Trim($_POST[Tel]);
$Email = Trim($_POST[Email]);
$Phone = Trim($_POST[Phone]);
$Fax = Trim($_POST[Fax]);
$PostalMail = Trim($_POST[PostalMail]);
$Facsimele = Trim($_POST[Facsimele]);
$message = Trim($_POST[message]);
// validation
$validationOK=true;
if (Trim($EmailFrom)=="") $validationOK=false;
if (Trim($EmailTo)=="") $validationOK=false;
if (Trim($Subject)=="") $validationOK=false;
if (Trim($message)=="") $validationOK=false;
if (Trim($Email)=="" and Trim($Phone)=="" and Trim($Fax)=="" and Trim($PostalMail)=="") $validationOK=false;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
exit;
}
if (Trim($Email)=="") $Email="No";
if (Trim($Phone)=="") $Phone="No";
if (Trim($Fax)=="") $Fax="No";
if (Trim($PostalMail)=="") $PostalMail="No";
$EmailToo = "markmiller@mitechsol.com";
$EmailFrom2 = explode("@", $EmailFrom);
// prepare email body text
$Body = "";
$Body .= "First Name: ";
$Body .= "$FirstName";
$Body .= "\n";
$Body .= " Last Name: ";
$Body .= "$LastName";
$Body .= "\n";
$Body .= "\n";
$Body .= "Message: ";
$Body .= "\n";
$Body .= "$message";
$Body .= "\n";
$Body .= "\n";
$Body .= "Telephone: ";
$Body .= "$Tel";
$Body .= "\n";
$Body .= " Fax: ";
$Body .= "$Facsimele";
$Body .= "\n";
$Body .= "\n";
$Body .= " Address: ";
$Body .= "$Address01";
$Body .= "\n";
$Body .= " : ";
$Body .= "$Address02";
$Body .= "\n";
$Body .= " City: ";
$Body .= "$City";
$Body .= "\n";
$Body .= " State: ";
$Body .= "$State";
$Body .= "\n";
$Body .= "Zip/PostCode: ";
$Body .= "$PostCode";
$Body .= "\n";
$Body .= " Province: ";
$Body .= "$Province";
$Body .= "\n";
$Body .= " Country: ";
$Body .= "$Country";
$Body .= "\n";
$Body .= "$EmailFrom\n";
$Body .= "\n";
$Body .= " Please Contact me by:";
$Body .= "\n";
$Body .= "Email: ";
$Body .= "Phone: ";
$Body .= "Postal Mail: ";
$Body .= "Fax: ";
$Body .= "\n";
$Body .= " $Email ";
$Body .= "$Phone ";
$Body .= "$PostalMail ";
$Body .= "$Fax";
//Check for HiJackers
if ($EmailFrom2[1]=='endo-nurses.org') {
print "<meta http-equiv=\"refresh\" content=\"0;URL=hijacker.php\">";
exit;
}
if ($EmailFrom2[2]=='endo-nurses.org') {
print "<meta http-equiv=\"refresh\" content=\"0;URL=hijacker.php\">";
exit;
}
// send email
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");
// redirect to success page
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=ok.php\">";
mail($EmailToo, $Subject, $Body, "From: <$EmailFrom>");
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
}
?>Code: Select all
from one of eight clearly defined
1770b1b884ad680c0c729d974ad847a7
.>
First Name: legislation2121@endo-nurses.org
Last Name: legislation2121@endo-nurses.org
Message:
legislation2121@endo-nurses.org
Telephone: legislation2121@endo-nurses.org
Fax: legislation2121@endo-nurses.org
Address: legislation2121@endo-nurses.org
: legislation2121@endo-nurses.org
City: legislation2121@endo-nurses.org
State: legislation2121@endo-nurses.org
Zip/PostCode: legislation2121@endo-nurses.org
Province: legislation2121@endo-nurses.org
Country: legislation2121@endo-nurses.org
salt
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: Mozilla 4.76 [en]C-CCK-MCD (Win95; U)
Subject: baste the bird without human assistance
bcc: tinayankee@questfindissm.com
from one of eight clearly defined
1770b1b884ad680c0c729d974ad847a7
.
Please Contact me by:
Email: Phone: Postal Mail: Fax:
legislation2121@endo-nurses.org legislation2121@endo-nurses.org legislation2121@endo-nurses.org legislation2121@endo-nurses.orgJayBird | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]