I Got Framed — if you’re using the PHP mail() function, add some security to that thing
I didn’t do it.
Really, I didn’t–I was framed. And you could be too if you’re using the PHP mail() function to handle your contact form without taking any extra security measures.
Last night I found out (the hard way), that my simple contact form was quite an ingenious spam tool. Somebody got on Elliot Swan Designs, opened up my contact form, was able to add in some custom headers, then send out bulk email–as me. Quite ingenious, and quite annoying.
It was pretty late, so I had to just shut down my contact forms for the night, but when I got up I found a user comment on the documentation for mail() that recommended using something like the following code to protect against mail injections:
if(eregi("MIME-Version:",$_POST['field1'].$_POST['feild2'].$_POST['etc'])) {die('Get out, spammer.');}
For good measure I added a second line to it:
if(eregi("Content-Type:",$_POST['field1'].$_POST['feild2'].$_POST['etc'])) {die('Get out, spammer.');}
Hopefully that’ll keep them spammers outa there.
I had the exact some thing happen to me on my portfolio website. It was quite unnerving. I ended up finding out the same solution as you, just haven’t had the time to implement it yet. So for hte time being I’ve had to close down my contact form as well.
Yeah, this happened on my portfolio as well, but I fixed the ones on all my sites for good measure.
This morning I also had the surpise of checking my email and finding 13 completely blank emails that were sent through the same contact form. Checked out the headers, and nothing was added.
So I guess I checking for blank emails would be a good idea as well…I had never really thought somebody would actually want to submit a blank emai.
Thanks for the tips! I’ll check my sites.
Hi Elliot, this post is kind of old but I thought you or someone else reading this might be interested in the following tip. A very easy to use php function to filter POST variables for newlines or carriage returns (which are the problem with email injection) is the function ctype_print(). You can use it like this:
if (!ctype_print($clean['name']) || !ctype_print($clean['email']) )
{
$errors = 'Some of the input contains bad characters';
}
You can use the above to make sure variables that end up in the headers in the mail() function cannot contain any newlines or carriage returns. And therefore a spambot cannot add any bcc, cc etc. Best thing is to use this as a defense in depth measure, besides the validation one already does.
That’s a pretty sweet trick…thanks for sharing.
Hi Elliot
thank’s for puting this on your page. I,m a bit new whit php but I have put a php email-form on
my website for security And not a basic form. But now i’m learning that it was not so simple.
I did not have reseived spam but maybe the hosting company did! but now I see that there is a lot more posible whit php. I,m learning!
I,ve found some security code on chr webM about this but I dont now yet how to put it in my e-mail form
so maybe you can help me whit this?
fordcredit.com
Thank you man because a lot of us including me using the mail() function as it is with out adding security for double checking and it might be miss used as mine was unsecured on my web site IEmailer.com am offering a contact form and tell a friend form so i will add this security check today and re upload the secured files again and it’s all goes to you, So THANK YOU
Wow, this is really critical issues… Thank you for sharing am just glad i haven’t applied the contact form code on my website as am trying to become an SEO Expert so i should take care about those issues !!!
Thank again it’s really helpful information you got inhere.
notself uncheering fronted bushi heartedness strobile autometry tyrannic
Iraqi paper condemns Saudi arms purchase from U.S.
http://english.people.com.cn
Hello, first of all I would like to thank you for posting this
And I really think it’s really an important issue, but for many reasons am not familiar with PHP scripting.. but I have already used and applied a PHP contact form on my Interior Design Company Website.. so am just wondering how to add this check to my contact form code? I could email you a copy of the current code?
Am using the normal PHP mail() function you mentioned above, but I just don’t get it straight how to add the check thing! and I totally understand if you might ignore this message.
Any help from your side would be really most appreciated, Thank you in advance.
Some seo experts charge top dollars for website optimization.,.’
seo experts are really modern day geniuses`’*
Realty Manhattan solves real estate needs for corporate users of office, industrial, and retail space offices for rent in new york city resulting in cost savings of 15-20% or more.
Why choose a tenant broker and not other types of brokers?
– Tenant Broker or Adviser work exclusively for YOU, other brokers might work for the landlord.
– When you are represented by a non-tenant broker, you generally might overpay by at about 10-20%.
Why Realty Manhattan?
– There is “No Commission or Fee” for services to our clients when renting or buying commercial property rent offices in NYC. We stand for your interests as a tenant.
– We find and negotiate the best possible deal for you and your business will economize on new york office spaceby 15 to 20% when compared with what you could do yourself or by utilizing services of a landlord broker.
– We give you nearly all available and most complete listings matching your needs.
– Our services are completely free of charge to our tenant clients.
– We constantly show great results and professional track record.
Why Search for Manhattan Commercial Realty with Us?
– Access to both public multiple listing service and private listings for clients looking for office lease Manhattan .
– Full commitment and personal attention of a broker, our efforts equate to 2-4 weeks of your time and energy saved.
– Top experienced real estate professional handling your space requirements and property search versus giving the case to a junior agent.
– Most attention for your real estate needs to get the best deal on the most important decision for the future of your business.
Spam
i admire top seo experts because they earn top dollars in just a matter of hours ‘.’
.:’ I am really thankful to this topic because it really gives up to date information “:-
cam city is the best pace for free hott live cam girls online. You wont find a better place to see the hottest College girls chatting live for free than http://www.camcity.com
I like the helpful info you provide in excessive sweating red face your forum posts. I’ll bookmark excessive sweating hands this forum and check again here frequently. I am quite certain I’ll learn many new stuff right here! Good luck for the next! excessive sweating gym excessive sweating hands and feet I will be recommending http://www.elliotswan.com to my friends!
Thank you for the good writeup. It in fact was a amusement account it. Look advanced to more added agreeable from you! However, how could we communicate? I’ll just check back at http://www.elliotswan.com for you later. play texas hold em poker online
Hello all! I like this forum, i set up multifarious gripping people on this forum.!!!
Pronounced Community, respect all!
Hello, can you help me