 Using A Php Contact Form, Please Help! |
|
|
|
|
  |
 Mar 31 2006, 12:47 AM
Post
#11
|
|
|
Super Member  Group: Members Posts: 282 Joined: 1-September 05 From: Wanatos Member No.: 11,382  |
Yes, Tyseen knows what he speaks about! hehe, so Tyssen, do you have any secure validating script you can share? i have not checked those pages you posted gaea, they are opening as i type... thanks!
|
 |
 
|
|
Mar 31 2006, 01:44 AM
Post
#12
|
|
|
Group: Members Posts: 1,161 Joined: 9-May 05 From: Brisbane, QLD Member No.: 6,818 |
|
|
|
|
|
Mar 31 2006, 06:01 AM
Post
#13
|
|
|
Super Member Group: Members Posts: 205 Joined: 14-March 06 From: Vermont or Boston (USA) Member No.: 20,077 |
QUOTE(Tyssen @ Mar 29 2006, 05:48 AM)  Couple of problems with your script gaea: 1. It doesn't check the input for email header injection attempts and clean it before processing. 2. If there are errors in the form, it returns the user to an empty form with no error messages to let them know what is wrong. Both of these are good points (though the script *does* return error messages...so im not quite sure where you got that from). Adding the origonal information back into the form would take about 2 seconds worth of time, and so is deffinatly worth doing. As far as header injection attempts...that is also a good point. But where do you stop? There are sssooooo many possible exploits that if you wanted to write a 100% secure script it'd take you a rather long time. What would you say qualifies as "good enough?" Removing any occurances of "\r" or "\n?" And 0x0D/%0D, and %0A? Or stopping all the MIME vulnerabilites? Or other vunrabilities that randomly appear on the net? Where do you draw the line? Also, no offence, but paying money to use a feedback form script seems rather ludacris to me. Except if you are really desperate and don't know how to write your own code. ---------- EDITED: ---------- Anyways, after a little work i added both of your suggestions to my script. It only protects against the From field being exploited by "\r", "\n?", "0x0D/%0D", and "%0A". Which means that it isn't 100% secure...but should stop virtually all attempts to use the form to send email to other people instead of (or as well as) the origonal hard coded email adderess. Which means that your feedback form can't be used by a spammer to send out unsollicited emails. I also had it email the spammer/hijacker's IP adderess back to you incase you wish to report them. The new code is something like this: (sendmail.php) CODE <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html><head></head><body> <table bgcolor="#ffffff" cellpadding="28"><tbody><tr><td> <?php $passedTests = "yes"; $Hijacked = "no"; $HijackAttempt=$visitormail; if (eregi("\r",$HijackAttempt) || eregi("\n",$HijackAttempt) || eregi("%0A",$HijackAttempt) || eregi("0x0D/%0D",$HijackAttempt)) { $passedTests = "no"; $Hijacked = "yes";} if($Hijacked == "yes"){ echo "<font color='red'><h2>Email Header Injection Attempt Detected! Your IP Address has been logged, and will be reported shortly.</h2></font><br />"; $todayis = date("l, F j, Y, g:i a"); $subject = $subject; $subject2 = "EMAIL HEADER INJECTION ATTEMPT"; $notes = stripcslashes($notes); $message = " $todayis \n EMAIL HEADER INJECTION ATTEMPT DETECTED from $visitor ($visitormail). \n IP Address = $ip \n Subject: $subject \n Message: $notes \n Browser Info: $httpagent \n"; $from2 = "From: YOURNAME@YOURWEBSITE.COM\r\n"; mail("YOURNAME@YOURWEBSITE.COM", $subject2, $message, $from2); } if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,"."))) { echo "<h2>The following error(s) were encountered:</h2>"; echo "<font color='red'>*Invalid email address. <br /></font>"; $passedTests = "no"; } if(empty($visitor) || empty($visitormail) || empty($notes )) { if($passedTests == "yes"){ echo "<h2>The following error(s) were encountered:</h2>"; } echo "<font color='red'>*Please fill in ALL of the required fields. <br /></font>"; $passedTests = "no"; } $todayis = date("l, F j, Y, g:i a"); $subject = $subject; $subject2 = "Feedback from YOURWEBSITE.COM"; $notes = stripcslashes($notes); $message = " $todayis \n From: $visitor ($visitormail)\n Subject: $subject \n Message: $notes \n Additional Info : IP = $ip \n Browser Info: $httpagent \n "; $from = "From: $visitormail\r\n"; if($passedTests == "yes"){ mail("YOURNAME@YOURWEBSITE.COM", $subject2, $message, $from); ?> <p align="center"> <h2>Thankyou for your feedback!</h2> <center> <br /><table border=0><tr><td> Date: </td> <td><?php echo $todayis ?></td></tr> <tr><td>Name: </td> <td><?php echo $visitor ?> ( <?php echo $visitormail ?> )</td></tr> <tr><td>Subject: </td> <td><?php echo $subject ?></td></tr> <tr><td></td><td></td></tr> <tr><td>Message: </td> <td><?php $notesout = str_replace("\r", "<br/>", $notes); echo $notesout; ?></td></tr></table></center> </p> <?php } else{ ?> <br /><form method="post" action="sendmail.php"> <?php $ipi = getenv("REMOTE_ADDR"); $httprefi = getenv ("HTTP_REFERER"); $httpagenti = getenv ("HTTP_USER_AGENT"); ?> <input type="hidden" name="ip" value="<?php echo $ipi ?>" /> <input type="hidden" name="httpref" value="<?php echo $httprefi ?>" /> <input type="hidden" name="httpagent" value="<?php echo $httpagenti ?>" /> <center> <table border=0<tbody><tr align=left><td> <font color="red">*</font>Name: </td> <td><input type="text" name="visitor" size="51" value="<?php echo $visitor ?>" /></td></tr> <tr align=left><td><font color="red">*</font>Email: </td> <td><input type="text" name="visitormail" size="51" value="<?php echo $visitormail ?>" /></td></tr> <tr align=left><td> Subject: </td> <td><input type="text" name="subject" size="51" value="<?php echo $subject ?>" /></td></tr> <tr align=left><td><font color="red">*</font>Message: </td> <td><textarea name="notes" rows="7" cols="50"><?php echo $notes ?></textarea></td> <tr align=left><td></td><td align="center"><input type="submit" value="Send Mail" /></td></tr></tbody></table></center> </form> <?php } ?> <p> </p> </td></tr></tbody></table></body></html> Once again, Don't forget to change YOURNAME@YOURWEBSITE.COM to your actual email adderess. If you have any other requests/suggestions I'd be happy to attempt to impliment them or help you do it yourself. This post has been edited by gaea: Mar 31 2006, 07:44 AM |
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 29th August 2008 - 12:20 AM |