Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
This is my sendmail code, how would I change this to prevent bot's from injecting my code?
$to = 'email@domain.com; $subject = $_POST['subject']; $message = $_POST['message']; $from = $_POST['from']; $from_check = $_POST['from_check']; $full_name = $_POST['full_name']; $tel = $_POST['tel'];
$headers = "From: ". $_POST['from'] ."\r\n";$headers .= "Reply-To: ". $_POST['from'] ."\r\n"; $message = "\nInformation Request: ".$message; $message .= "\nName: ".$full_name;
$message .= "\nTel Number: ".$tel;
$message .= "\nEmail address 2 (could be different): ".$from_check;if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) { echo "<h4>Sorry info here</h4>"; echo "<h4>Click here to return</h4>"; }
elseif ($from_check <> $from) { echo "<h4>Info here.</h4>"; echo "<h4>Click here to return</h4>"; }
elseif(mail($to,$subject,$headers,$message)) { echo "<h4>$full_name</h4>"; echo "<h4>Your email has been sent, we will reply as soon as possible.</h4>"; } else { echo "<h4>Cannot send email</h4>";
Thanks Ian
Bots would never see your code. Any entity, wether it is a user on their PC or an automated program, which requests your page will only get the output. When a request is made for the page, the webserver will parse your code then send the result to the requesting entity.
So, in your code above, the bot (or user) would only receive the result of this code:
elseif(mail($to,$subject,$headers,$message)) { echo "<h4>$full_name</h4>"; echo "<h4>Your email has been sent, we will reply as soon as possible.</h4>"; } else { echo "<h4>Cannot send email</h4>";
Michael J
Report Offensive Follow Up For Removal
The bot the spammer is using is injecting bcc /cc into the code, something to do with a problem with \n & \r where they exploit the linefeed and carriage returns to add what they want.
I know I need to strip the \n\r but have no idea how to do it and how to test to make sure it's correct.
Ian
Report Offensive Follow Up For Removal
Report Offensive Follow Up For Removal
I understand now. Just do a simple search/count within the appropriate fields (substr_count) to check if they contain the characters that you want to disallow. If they do contain the disallowed characters have an error message displayed and fail the send mail.
You can test it by hardcoding values for those fields with the disallowed characters. But, instead of actually having it send an email, rewrite the page to display if it caught the disallowed characters or not.
Michael J
Report Offensive Follow Up For Removal
Michael
Easier said than done, I'm not that good with php.
I was thinking of adding headers for bcc and cc and then doing something like if bcc or cc is not empty then die and setting both bcc and cc to '' i.e. nothing.
So if these then become more it won't send.
Ian
Report Offensive Follow Up For Removal
hi,
can you tell me your PHP version? you can find it with phpinfo();
I tried the method in that website but it wont work on my mailer script. The script is simple and very similar with the example on that site.
The best I can do (by using the method) is to crash the script. The mail won't send.
In the website, there is a fix to stop the injection at the bottom, by checking for malicious chars.
Report Offensive Follow Up For Removal
I was thinking of something along the lines of this:
error = 0;
if (substr_count($_POST['from'],"\r")>0 || substr_count($_POST['from'],"\n")>0) { $error = 1; }
Repeat for other variables to checkThen add a switch before the last elseif:
elseif ($error) { echo "<h4>Error Text.</h4>"; echo "<h4>Click here to return</h4>"; }
Michael J
Report Offensive Follow Up For Removal
Laler - Using 4.4.0
Michael - Thanks, will give that a try, do you think iut would be good to also add what I suggested ie the checking for bcc and cc?
Ian
Report Offensive Follow Up For Removal
hm, the version installed in my hosting company is even lower than that :|
I put interest on this problem as I've beed a victim of those spammer's before. My account got suspended because my hosting company's datacenter threatened them to stop spam or they'll pull the plug out from their server, while the spam came from my account, from an exploitable script :D (a free CMS). Not to mention my domain name might be blacklisted everywhere.
So in this PHP mail() problem, I then tried copy pasting the code from that page, but still I'm unable to exploit the script. The script won't send the e-mail. Maybe my hosting company put some protection module or maybe there're some php.ini settings to prevent those? I'm not sure.
Anyways, you'd better do Michael J's method or the method in that website. Because if you only put Bcc and Cc then (according to the page) I guess someone will still be able to send the emails to more people by adding more Bcc/Cc.
Report Offensive Follow Up For Removal
Sorry,
:::::
I was thinking of adding headers for bcc and cc and then doing something like if bcc or cc is not empty then die and setting both bcc and cc to '' i.e. nothing.
:::::That might work, but still I think checking for malicious chars (like "\") would be better. Also, an email address contains "bcc" might exist, while no email address will contain "\r" or "%0A".
Btw, I'm still confused/worried am I vulnerable or not? If someone has an explanation, then please :)
Report Offensive Follow Up For Removal
This tells you a bit more.
http://anders.com/cms/75/Crack.Attempt/Spam.RelayYes your host may have disabled something, but I'm not sure you are 100% safe, you could ask your host if they did and then post back, so i could change the same setting in the php.ini
The %0A where can I find a site with other character set code like this I need to add more error checking for terms like ; , in the email fields.
Report Offensive Follow Up For Removal
Have managed to cut out most if not all of the characters i want from an entry in the form, the code I used can be seen on the following thread:
http://www.computing.net/programming/wwwboard/forum/13265.html
Regards
Ian
Report Offensive Follow Up For Removal
I am having same problems but I am a complete novice!
Here is my simple script:
<?
$to = ""; // E-mail address to send mail to.
$subject = ""; //Subject of the e-mail
$message = ""; // Message shown at other end (the e-mail).
mail($to, $subject, stripslashes($message), "From: $name <$email>\nX-Mailer: PHP/" . phpversion());
header( "location: " ); //url to re-direct to after mail has been succesfully sent.
?>
I get all my forms sent to me filled with an email address in every field and I can receive this sometimes 20 times over and it is driving me bananas!
Report Offensive Follow Up For Removal
Your header( "location: " ); just keeps repeating the script - try something like header("location:newpage.php"); to get that working webgurl.
Report Offensive Follow Up For Removal
 |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
