You are here: Re: Hacked By Spammer « All PHP « IT news, forums, messages
Re: Hacked By Spammer

Posted by J.O. Aho on 01/10/06 11:42

Dan wrote:
>
> I had a php script running under Apache web server on a Debian Linux
> box. The script used a form to send me email using the 'mail'
> routine. Somehow a spammer managed to hijack the script to send spam.
>
> My first question I have, is how did he do it? I've included the
> script below.
> <?php
> }
> else // Second entry to this script, send email based on what was
> in the form.
> {
> $fromText = $_REQUEST['fromText'];
> $msgText = $_REQUEST['msgText'];
> mail( "some address@some domain.com", "Message",
> $msgText, "From: $fromText <$fromText>\n" );
> ?>

The problem is the $fromText, as the spammer can add Cc: and Bcc: to it and
get your script to send the spam to other people than you wanted it to be sent to.

http://www.php.net/manual/en/function.mail.php


> My second question is, how do I set up an -unhackable form and how do
> I test that it's safe? I don't want to have the email address on the
> web page.

You could remove the Cc: and Bcc:, here is a small example how you could do it

$fromText=ereg_replace("Bcc:","",$fromText);

An eregi_replace may be a better function to use.

http://www.php.net/manual/en/function.ereg-replace.php
http://www.php.net/manual/en/function.eregi-replace.php


//Aho

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация