PHP Email Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
slabadie
Forum Newbie
Posts: 1
Joined: Sun Feb 19, 2006 8:18 am

PHP Email Security

Post by slabadie »

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


I recently rec'd a message from my hosting company saying that they disabled one of my clients email accounts because they were getting hammered with incomming SPAM. Also they had to rename the comments.php page because the code had security holes allowing Spam to be sent through the page.  I am new to PHP and am not sure what to do at this point.  It was suggested by them that I use ASPEmail instead.  Any help would be greatly appreicated.  Below is how my page is coded:

Code: Select all

<?php
if (($_POST['name'] == "") || ($_POST['email'] == "") || ($_POST['comments'] == "")) {
		header("Location: comments.htm");
		exit;
}
$msg = "E-MAIL SENT FROM FDNY COMMENT SECTION\n";
$msg .= "Name:  ".$_POST['name']."\n";	
$msg .= "E-Mail:  ".$_POST['email']."\n";
$msg .= "Comments:  ".$_POST['comments']."\n";
$to = "ravenwax@ptd.net";
$subject = "Web Site Feedback";
$mailheaders = "From: Whatever Wesite <http://www.whatever.com>\n";
$mailheaders .= "Reply-To: ".$_POST['email']."\n";
mail ($to, $subject, $msg, $mailheaders);
?>

Code: Select all

<?php 
echo $_POST['name']; 
?>
<p><strong>E-Mail Address:</strong>
<?php 
echo $_POST['email']; 
?>
<p><strong>Comments:</strong><br>
<?php 
echo $_POST['comments']; 
?>

feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

without filtering of the posted information, yes you have massive security holes.

A recent topic with the same issues: viewtopic.php?t=44097
Post Reply