Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Aug 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    SMTP Injections in php email form

    Hello,

    I currently have a HTML web form that submits data to a php form for my website online contact form. My sending details sit in the php file which e-mails me the form details. My problem is that someone is spamming me continously, and I am told it is through smtp injections.

    I have spent all week researching this and experimenting and I am still getting the e-mails. Supposedly to stop the injections you need to add \r\n or \r\n\r\n in sections of the php file. I have very limited knowledge of php, so I am somewhat guessing as to where the \r\n should be going. Would someone mind taking a look at my code and letting me know if I have missed placing it somewhere?

    Any help would be much appreciated as all the spam mails I am getting are driving me crazy.

    PHP Code:
    php


    /* $sendto is the email where form results are sent to */
       
    $sendto "admin@website.com.au";

    /* $ccto is the email where form results can be carbon copied to */
       
    $ccto "";

    /*
             O P T I O N A L   V A R I A B L E S 
    */


    $setokurls "1";

    $okurls "http://www.website.com.au/contact.htm";

    /*

            N O   N E E D   T O   E D I T   A N Y   V A R I A B L E S   B E L O W

    */


    $footer "<br><br><br><br><br><center><font face=\"Arial\"><a href=\"http://www.noviceform.com/\" target=\"_blank\"><font color=\"#ff0000\">Form processing script provided by Novice Form</font></a> </center></font>";

    $backbutton "<br><br><b>Hit your browsers back button and resubmit the form.</b>";



    /* check to see if posted */
    if ($HTTP_GET_VARS || ! $HTTP_POST_VARS || $_GET || ! $_POST) {
    include(
    "qwserror.php");
    no_pst();

    }else{


     
    /* IF OLDER VERSION OF PHP CONVERT TO NEWER VARIABLES */
        
    if (! $_POST) {
        
    $_POST "$HTTP_POST_VARS";
        }

        if (! 
    $_SERVER) {
        
    $_SERVER "$HTTP_SERVER_VARS";
        }


    $year date("Y");
    $month date("m");
    $day date("d");
    $hour date("h");
    $min date("i");
    $tod date("a");


    $ip=$_SERVER["REMOTE_ADDR"];

    $SEND_prnt "The form below was submited by " $_POST{"email"} . " from Ip address: $ip on $monthnameactual $month/$day/$year at $hour:$min $tod \r\n";
    $SEND_prnt .= "-------------------------------------------------------------------------\r\n";


    /* CHECK TO SEE IF $_POST{"required"} IS SET */
    if ($_POST{"required"}){


      
    $post_required $_POST{"required"};
      
    $required split(","$post_required);
      
    $reqnum count($required);

        for (
    $req=0$req $reqnum$req++) {

        
    $REQ_name $required[$req];
        
    $REQ_value $POST{"$REQ_name"};


      if (
    $REQ_name == "email") {
         
    $goodem ereg("^[^@ ]+@[^@ ]+\.[^@ \.]+$"$_POST{"email"}, $trashed);

            if (! 
    $goodem) {
        include(
    "qwserror.php");
        
    msng_email();
            }  
    /* end ! $goodem */

      
    }
      elseif (! 
    $_POST{"$REQ_name"}) {
              
    $isreqe "1";
              
    $REQ_error .= "<li> $REQ_name ";
               } 
    /* end ! req val */

              
    /* end REQ for loop  */


                    /* IF THERE ARE ANY REQUIRED FIELDS NOT FILLED IN */

            
    if ($isreqe == "1") {
            include(
    "qwserror.php");
            
    msng_required();
            }


    /* END CHECK TO SEE IF $_POST{"required"} IS SET */


    /* END IF THERE ARE ANY REQUIRED FIELDS NOT FILLED IN */


    /* GET POSTED VARIABLES */


    foreach ($_POST as $NVPOST_name => $NVPOST_value) {

                
    /* GET LEADS EMAIL */

                
    $email_lower strtolower($NVPOST_name);
            
                if (
    $email_lower == "email") {
                
    $SEND_email "$NVPOST_value \r\n";
                }

                
    /* END GET LEADS EMAIL */
     
       
    if (! $_POST{"sort"}) {


                                
    /* CHECK TO SEE IF CONFIG FIELD */
                                
    if ($NVPOST_name == "subject" || $NVPOST_name == "sort" || $NVPOST_name == "required" || $NVPOST_name == "success_page"){}else{
                                
    $SEND_prnt .= "$NVPOST_name: $NVPOST_value \r\n";
                                }
       } 
    /* end ! sort */
      

    /* end foreach */


      /* END GET POSTED VARIABLES */




      
    if ($_POST{"sort"}) {

      
    /* SORT VARIABLES */

        
    $sortvars split(","$_POST{"sort"});
        
    $sortnum count($sortvars);

                   for (
    $num=0$num $sortnum$num++) {
               
    $SEND_prnt .= "$sortvars[$num]: " $_POST{"$sortvars[$num]"} . " \r\n";
               }

      }   
    /* END SORT VARIABLES */




    /* send mail */


    if (! $ccto) {
    $header "From: $SEND_email\r\n\r\nReply-to: $SEND_email\r\n\r\n";
    }else{
    $header "From: $SEND_email\r\n\r\nReply-to: $SEND_emai\r\nCc: $ccto\r\n\r\n";
    }


    mail($sendto$_POST{"subject"}, $SEND_prnt$header);

    /* END sendmail */

         /* CHECK TO SEE IF FORM SPECIFYS A SUCCESS PAGE */
         
    if (! $_POST{"success_page"}) {

    include(
    "qwserror.php");
    default_success();

         }else{
         
    $successpage=$_POST{"success_page"};
         
    header("Location: $successpage");  /* redirect */  
         
    exit;
         }



    /* END IF POSTED */


    ?> 

  • #2
    Regular Coder
    Join Date
    Jul 2004
    Location
    mile high city
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Computer, kill Flanders... Did I hear my name? My ears are burning...
    Good start. Now finish the job.

  • #3
    New to the CF scene
    Join Date
    Aug 2005
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thanks

    Thanks mcdougals4all, I have posted a question on that thread.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •