I use the script below on most of my sites, and its recently startd being abusd by people or bots that are sending emails to random people and it looks like its from my site, which is good in 1 way im getting a few hits from it although it wont be long before i get hacked or people making complaints, does anyone know of ay other script i can use <? /* CHFEEDBACK.PHP Feedback Form PHP Script Ver 2.01. $Id: phpscript.txt 1.1 2003/04/17 11:53:45 chris Exp $ */ // ------------- CONFIGURABLE SECTION ------------------------ $mailto = 'EMAILADDRESS here' ; $subject = "Contact Form" ; $formurl = "contact.php" ; $errorurl = "index.php" ; $thankyouurl = "thankyou.php" ; // -------------------- END OF CONFIGURABLE SECTION --------------- $name = $_POST['name'] ; $email = $_POST['email'] ; $comments = $_POST['comments'] ; $http_referrer = getenv( "HTTP_REFERER" ); if (!isset($_POST['email'])) { header( "Location: $formurl" ); exit ; } if (empty($name) || empty($email) || empty($comments)) { header( "Location: $errorurl" ); exit ; } $messageproper = "This message was sent from:\n" . "$http_referrer\n" . "------------------------- COMMENTS -------------------------\n\n" . $comments . "\n\n------------------------------------------------------------\n" ; mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\nReply-To: \"$name\" <$email>\nX-Mailer: chfeedback.php 2.01" ); header( "Location: $thankyouurl" ); exit ; ?> Code (markup):
It is possible that someone is adding a cc or bcc line to the submitted email address. Your script does not verify that the person is submitting a valid email address and that only one email address is being submitted. You could add this simple check after retrieving the email address: $email = $_POST['email'] ; if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) { $email = ""; } PHP: This would trigger your error page. Header injection is also possible in the body of the message. But, only if there is NO CR/LF between the header and the body of the email message. I doubt this is happening here. EDIT -- Also . . . You can limit problems with injection into the body of the text by using PHP's htmlentities() function as follows: $comments = htmlentities( $_POST['comments'] ); PHP: You should also look at the $errorurl which is called when there is a problem and make sure that any user input carried over from the email form is made safe and htmlentities() used to convert all user input to inactive text. Remember, if the script is being hacked, limits on chjaracter entry in the email section and even on page verification are useless. They are submitting it back with all the variable info filled in and perhaps trying to set other globals for good measure.
thanks for the help, im coming up with a new design for the site, so for the time being ill take doen the contact page but ill implament the new code soon