Php form gets submitted with invalid email-id

[Ani]

Hello,

I have a php form on http://www.wideinfotech.com/onlinecall.php3

Whenever someone fills up the form I get a mail with the fields that have been filled.

I started getting mails with junk characters like
onthefield@wideinfotech.com - filled up in all the fields. Then I kept a javascript code which doesnt allow to submit the form if there is 'wideinfotech.com' in the string, still I used to receive the mails with 'sometext@wideinfotech.com' filled up in all the fields. Right now I have disabled the form because of the same.

Kindly guide as to how can I control this.

regds
Ani

[steve0]

A really simple solution could be
in the very top of onlinecall.php3 add..

<? if (stristr($_POST[email],"wideinfotech")) die(); ?>

[southplatte]

It sounds like a bot filling out the form. Do some validation on the data and you can kill all that is coming in like that.

[minorgod]

You should forget about JavaScript validation for this and do your validation in PHP instead. Whoever is submitting your form is submitting it via another script that bypasses your JavaScript validation. Usually, a simple referrer check is all you need to kill these bogus messages and you should be using a referrer check on any scripts on your server that are capable of sending mail. This will ensure that the form can only be submitted from your domain. You could do like I do and set a session variable with the current page info the first time you load the page and then do a check for that info when the form is submitted. If the page hasn't been loaded prior to the form being submitted, this info will not be available to your script and it will die. To do this you could put the following at the top of your script:

Code:

session_start();
$allowed_referrers[]=$_SERVER['PHP_SELF'];

Then wherever you call the mail() function, put this before the function call...

Code:

if(!in_array($_SESSION['referrer'],$allowed_referrers)){
		die("You have attempted to submit a message from somewhere outside our domain. Please don't do that.");
	}

//and at the bottom of your script, put this code:

Code:

$_SESSION['referrer']=$_SERVER['PHP_SELF'];

So that the last thing that will happen when the page is loaded is the session will save the name of your current script. It will then be avialable for your referrer check on the next page load.

I use an array to hold the referrer info so that I can set up mulitiple valid referrers by adding other pages to the array. If you don't like that you can always just store the value as a simple string and then use the regular string comparison operators and/or functions.

Also, this method it not TOTALLY foolproof, since session ids can be easily viewed by your user and then resubmitted with an automated request, which would circumvent this protection, but it might slow them down a bit. I'm not positive the code I posted is totally correct, but it should be pretty close to what you need. If not, a quick search for "php email referrer check" will pull up many other posts on the subject.

[langard]

Here's and error loop to prevent it:

Code:

<?

$error = '';

// get all the email form data

$ems = '';

// stop email server hacks
$ems .= $message;
$ems .= $subject;
$ems .= $address;

if ( stristr( $ems, 'content-type:' ) ¦¦ stristr( $ems, 'multipart/mixed' ) ¦¦ stristr( $ems, 'boundary="' ) ¦¦ stristr( $ems, 'cc:' ) ¦¦ stristr( $ems, 'multi-part message in mime format' ) ¦¦ stristr( $ems, 'to:' ) ¦¦ eregi( "(%[a-f0-9])", $ems ) ¦¦ stristr( $ems, '0x' ))
// the last two are in case they try using hex or other non standard characters
{
$error .= "

Don't bother</p>";
}

if ( $error )
{
echo $error;
}
else
{
...... finish email sending 

?>

[DrTandem1]

Other things to keep in mind include naming the script file something that doesn't identify it as a mail script. For example, sendmail.php is a dead give away.

The script itself should strip tags and bar line feeds. What is probably happening to your site is it is being hijacked to launch spam. Typically, they use your domain name as the "from" address. So, yes, you want the script to die, if that is entered anywhere.

Besides annoying you, you don't want your site flagged as a source of spam.

[sands]

Firstly validate the form using PHP only. JavaScript is useless. Add this code for all the fields:
$name = $_POST['name'];
$email = $_POST['email'];
and
if (!isset($_POST['email'])) {
header( "Location: http://www.wideinfotech.com/onlinecall.php3" );
}
to make sure your script was called from your feedback form. If not the script redirects the visitor back to your feedback form.

For the Email field this code would also prove useful to prevent multiple mails.
if (eregi("\n",$_POST['email'])) {
return; }

I am no expert in PHP and would be grateful if anyone can pick out any mistakes.

langard's additional code suggestion is very good except that it would not work if the form has the provision for attachments.

[orko3001]

I had the same problem but I just banned the ip address from the site useing IP Deny Manager (http://www.webmasterstop.com/109.html) in the Servers Cpanel (http://www.webmasterstop.com/64.html)

Haven't had any problem since

[orko3001]

I had the same problem but I just banned the ip address from the site useing IP Deny Manager (http://www.webmasterstop.com/109.html) in the Servers Cpanel (http://www.webmasterstop.com/64.html)

Haven't had any problem since

[nelsonez]

DrTandem1 said: "What is probably happening to your site is it is being hijacked to launch spam. Typically, they use your domain name as the 'from' address. So, yes, you want the script to die, if that is entered anywhere."

I believe that is what is happening. We have seen this in attacks on perl scripts where a hacker was able to launch a series of commands into one of the fields on a web form that happened to be part of the email header (either a subject field or email field). The problem with the script was the client thought the on-page javascript would do all the field validation but as other posters have stated that can be easily circumvented by a hacker. The key is to make sure the PHP or Perl script has a maximum character limit set for each field in your form.

For example the text field where a user enters there email address on your form should have some reasonable maximum limit of characters, say for example 40 characters. And make sure this limit is checked by the PHP script. A on-page javascript or HTML maxlength value will not stop a hacker.

Also make sure there are validations in the script to do referrer checks and to check for meta characters.

[nelsonez]

One other thing. Don't get confident that just because you have a referrer check in place that you are safe.

Good hackers can easily fake referrers. I have never quite figured out how they do it some times but I have seen it in many a server log.

The character limit does severely limit what they can do and if you properly parse the data you can prevent them from trying to run non-intended PHP code.

[langard]

Don't depend upon referers at all. The PHP manual warns not to in the $_SERVER[HTTP_REFERER] section, also. Referers are provided sometimes, sometimes not by the servers routing the HTTP requests. Most corporate servers, for instance, are behind firewalls and won't give you a referer.

Better ways to check. For instance, we disallow entire countries by IP address block for some of our sites.

[Ani]

Hello,

Thanks a lot all of you guys for your replies.
I tried out following _

if($REQUEST_METHOD=="POST")
{
$name = $_POST['name'];
$email = $_POST['email'];
if(!isset($name))
{
die ("Sorry could not send email, Please try after some time.");
}
}

But even after that I am still gettin the spam mails.

Hence I have now again disabled the form.
Kindly advise what else I can do.

regds
Anita

[sands]

Quote:

Originally Posted by Ani

Hello,

Thanks a lot all of you guys for your replies.
I tried out following _

if(!isset($name))
{
die ("Sorry could not send email, Please try after some time.");
}

But even after that I am still gettin the spam mails.

It should be:
if (!isset($_POST['email'])) {

And also try limiting the characters allowed in the E-mail field using PHP as suggested by nelsonez.

This is the code:
if (strlen($email) > 40) {

Try it and see! All the best, cheerio!

[darren13]

Hi Sands,
Thanks for advice to check this thread, but I still haven't much of an idea on how to proceed. I use formmail.cgi (I think!) - would I be able to use that code in the formmail file?

Thanks in advance,

Darren.

[sands]

Quote:

Originally Posted by darren13

Thanks for advice to check this thread, but I still haven't much of an idea on how to proceed. I use formmail.cgi (I think!) - would I be able to use that code in the formmail file?

Hello Darren,
Sorry, I have no idea about CGI. Anyway none of the above measures are foolproof. There is a link that might prove useful for those using PHP.
http://www.alt-php-faq.org/local/115/

[darren13]

Okay,

Well thanks for trying anyway Sands, appreciated,

Darren.