|
|
Posted by Neil McDermott on 09/08/05 18:08
Thanks guys.
I do have javascript validation on the form but it only checks that the
email is whatever@something.com. I also have it on the phone field to make
sure it is a number. How then has someone sent an email address in the phone
field?
Also re
You can do something fairly simple to make sure the form is submitted
from the site where it resides:
if (!strstr($_SERVER['HTTP_REFERER'], 'mysite.co.uk')) {
exit ("Invalid referrer");
}
Where does this go in the script?
--
Regards,
Neil McDermott
01604 622345
07841 865970
http://www.easiserv.com
"Tyrone Slothrop" <ts@paranoids.com> wrote in message
news:58g0i19p027doe2lmttjpde1o88g7e12o3@4ax.com...
> On Thu, 8 Sep 2005 13:11:11 +0000 (UTC), "Neil McDermott"
> <neil.mcdermott@easiserv.com> wrote:
>
>>Hello,
>>
>>I hope someone can help.
>>
>>I use a php form to process contact forms on my web sites. Recently I have
>>been receiving lots of strange data coming through the contact forms like
>>this :
>>
>>NB. mysite = the actual site that the contact form is on.
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>>From: qsukgmtfqg@mysiteco.uk add to address book
>>Return-Path: mysite.co.uk@hosts.co.uk add to blacklist add to whitelist
>>Delivery-Date: Thursday, September 8, 2005 2:57 AM
>>To: mark@mysite.co.uk
>>Subject: Information request
>>
>>show headers | download source | printable view | back to folder | next
>>message Spam score: 0
>>
>>
>>Name : qsukgmtfqg@mysite.co.uk
>>
>>
>>
>>Phone : qsukgmtfqg@mysiteco.uk
>>
>>
>>
>>Email : qsukgmtfqg@mysiteco.uk
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>>It spoofs the address of the site that the contact form is on. This has
>>happened accross every site that the form is on so I am guessing their is
>>a
>>vulnaribility in the script below . Can anyone help please?
>>
>>
>>php Contact script used >>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>>
>><?
>>$name=$_POST['name'];
>>$phone=$_POST['phone'];
>>$email=$_POST['email'];
>>$query=$_POST['query'];
>>$to="enquiries@mysite.co.uk";
>>$from="$email";
>>$message="Customer Name : $name\n\n
>>Phone : $phone\n\n
>>Email Address : $email\n\n
>>Query : $query\n";
>>if (mail($to, "Customer Information", "$message\n", "From: $from"))
>>{$URL="http://www.mysite..co.uk/thankyou.php";header ("Location: $URL");
>>} else {
>>echo "There was a problem sending the mail. Please check that you filled
>>in
>>the form correctly.";
>>}
>>?>
>>
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>>Any help would be greatly appreciated. I am no php expert , I simply
>>adjusted a form I found on a php tutorial site.
>>
>>Thank you in advance,
>>
>>Neil
>
> You can do something fairly simple to make sure the form is submitted
> from the site where it resides:
> if (!strstr($_SERVER['HTTP_REFERER'], 'mysite.co.uk')) {
> exit ("Invalid referrer");
> }
>
Navigation:
[Reply to this message]
|