Hello <br /><br />Just a quick question, i was reading the latest email form TCH about the spam abuse through php email scripts, i did have a php script on my account and i am unsure if it was safe. <br /><br />The script was accessed through a flash movie and was just up there for testing purposes, the script i used is as follows:<br /><br /><?php<br /><br />$to = '[email protected]';<br />$subject = 'Feedback from Flash site';<br /><br /><br />$message = 'From: '.$_POST['from']."\n\n";<br />$message .= 'Email: '.$_POST['email']."\n\n";<br />$message .= 'Address: '.$_POST['snail']."\n\n";<br />$message .= 'Phone: '.$_POST['phone']."\n\n";<br />$message .= 'Comments: '.$_POST['comments'];<br /><br />$additionalHeaders = "From: Flash feedback<[email protected]>\n";<br />$additionalHeaders .= "Reply-To: $_POST";<br /><br /><br />$OK = mail($to, $subject, $message, $additionalHeaders);<br /><br />if ($OK) {<br /> echo 'sent=OK';<br /> }<br /> else {<br /> echo 'sent=failed&reason='. urlencode('There seems to be a problem with the server. Please try later.');<br /> }<br />?><br /><br />As i said preveouely, the post arrays are sent via a flash movie is this script left open to abuse if left on my account (i'v taken it down just incase). <br /><br />if so <br />SORRY<br /><br />any help would be fantastic.<br />thanks<br />Daz
<br /><!--coloro:#000099--><span style="color:#000099"><!--/coloro--> <!--colorc--></span><!--/colorc--><i> </i><!--content-->
Looking at your script I would say that it is NOT safe from header injection. <br /><br />Even though you have flash posting the data anyone that finds your script could pass data to it without using your flash form.<br /><br />You can read up on <a href="http://securephp.damonkohler.com/index.php/Email_Injection" target="_blank">Email Injection</a>.<!--content-->
Right, if i amended the script as follows:<br /><br />$additionalHeaders = "From: Flash feedback<[email protected]>\n";<br />if (eregi("\r",$additionalHeaders) || eregi("\n",$additionalHeaders)){<br />die("Why ?? <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/sad.gif" style="vertical-align:middle" emoid="" border="0" alt="sad.gif" />");<br />}<br /><br />and then saved it within the private folder of my hosting space would that resolve the problem (i'm just learning php as you may have guest ha). <br /><br />thanks you darren<!--content-->
<br /><!--coloro:#000099--><span style="color:#000099"><!--/coloro--> <!--colorc--></span><!--/colorc--><i> </i><!--content-->Looking at your script I would say that it is NOT safe from header injection. <br /><br />Even though you have flash posting the data anyone that finds your script could pass data to it without using your flash form.<br /><br />You can read up on <a href="http://securephp.damonkohler.com/index.php/Email_Injection" target="_blank">Email Injection</a>.<!--content-->
Right, if i amended the script as follows:<br /><br />$additionalHeaders = "From: Flash feedback<[email protected]>\n";<br />if (eregi("\r",$additionalHeaders) || eregi("\n",$additionalHeaders)){<br />die("Why ?? <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/sad.gif" style="vertical-align:middle" emoid="
" border="0" alt="sad.gif" />");<br />}<br /><br />and then saved it within the private folder of my hosting space would that resolve the problem (i'm just learning php as you may have guest ha). <br /><br />thanks you darren<!--content-->