i posted this a while ago but got no replies..:*(
anyway, i thought id give it another go.

I am running a contact form in my flash website that uses a php file to send an email to me containing certain variables. Since i put this online, i have recieved a lot of spam mail to this address. I have been told that my code is vulnerable to attack form spammers by php injection???? Im not very clever and dont really know how to safeguard against this. I have looked a few articles about this but i am a young naieve newbie and dont really understand them. Could anyone help me secure my php code? It is fairly simple as below:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>untitled</title>
</head>

<body>
<?
$name = $_POST["name"];
$email = $_POST["email"];
$number = $_POST["number"];
$message = $_POST["message"];
$to = "myemail@somewhere.com";
$subject = "website enquiry";
$msg = "$name has contacted you regarding your website. Their contact details are below:\n
email address- $email contact phone number- $number\n\n";
$msg .= "Message from $name:\n$message\n\n";
mail($to, $subject, $msg, "From: apryan website\nReply-To:$email\n");
?>

</body>
</html>

Code injection is basically when someone uses variables in your code to 'inject' their own code into your web application - your POST vars for example are easily exploitable - anyone can browse to your page and send any post variables they want to it.

Headers are sent in an HTTP page request and the 'POST' headers (basically like a querystring but not usually visible to the client in a browser) can be changed to whatever you want.

You basically need to ensure that it definitely is your flash website that's calling the code on that page. You could for an initial level of safety simply hard code a password into the php page which is sent from the flash application and checked against the password in the script to make sure it is your application that's making a mail send request.

It does depend on whether you have made the php file visible to a browser of your site too - if you put it in a protected directory that only your flash app has access to that should help. I'm not sure if spam bots work on flash sites (I don't think they do) but this is also a possibility - that a spam bot is using your actual site to fill in the blanks and send emails...

thanks for the reply charleh. I appreciate it. That makes a bit more sense to me. How do i go about setting up a password in a php file? and how would the flash movie send the password to the php file.

and when you talk about seeting up secure directories on the server ...how would i do this?

Well I've looked at your code for a bit and I can't really see anything that would be glaringly obviously exploitable - I'd assume that the code is OK, it's just the access to your script which is letting you down - but I'm no expert on web servers and permissions.

I'm not 100% on how to set it up but I'd assume you'd just want to turn off directory browsing and put the PHP script in a different folder from your web root, then make this folder only accessible from an authenticated user account - you are probably best off waiting for a more web savvy person to help, out of curiosity what web server are you using? Apache? IIS?

will i be laughed out of kirupa if i say i have no idea what server it is?! It is through a company called dataflame and i just had a look at my details....is there such a thing as
???microsoft windows server 2003????? if that isnt what you mean then i apologise.:whistle:

Heh well I'd get on wikipedia and look up some terms :)

A server is basically a machine which sits on a network (or the web) which ... for want of a better word...serves...

It sends content and data out to clients (clients being other computers on the network which are not the server...i.e. your machine) usually as a response to client requests - so for instance the website that you are currently browsing must be hosted (kept on a server) somewhere so that when you send a request to view a page it send you back the right one. (It's a lot more complex than this - trust me, there's loads of stuff that nameservers have to do to turn your www.kirupa.com into an address to find a PC on the network and then the kirupa server has to do a lot of processing on it's end to send you the dynamic content that comprises a 'forum'!)

Anyway Windows Server 2003 is good enough, that means you are most likely running IIS (Internet Information Services). All you need to do now is figure out how to do what I said in IIS :)

I've got it on my machine and at some point I'll try and figure it out for you...in the meanwhile anyone else know off the top of their heads?

cheers, i appreciate the effort. and thanks for the low down on servers!! ill remember that.

I'm no expert, but here's something I found on another forum ( a site for a book I purchased on PHP --PHP & MySQL for Dynamic Websites by Larry Ullman) that will help make sure your form isn't being used to send spam.


function clear_user_input($value) {

// Check for bad values:
if (stristr($value, 'content-type')) return '';
if (stristr($value, 'bcc:')) return '';
if (stristr($value, 'to:')) return '';
if (stristr($value, 'cc:')) return '';
if (stristr($value, 'href')) return '';


// Strip quotes, if Magic Quotes are on:
if (get_magic_quotes_gpc()) $value = stripslashes($value);

// Replace any newline characters with spaces:
$value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);

// Return the value:
return trim($value);

}
$_SAFE_POST = array_map('clear_user_input', $_POST);

$name = $_SAFE_POST["name"];
$email = $_SAFE_POST["email"];
$number = $_SAFE_POST["number"];
$message = $_SAFE_POST["message"];
$to = "myemail@somewhere.com";
$subject = "website enquiry";
$msg = "$name has contacted you regarding your website. Their contact details are below:\n
email address- $email contact phone number- $number\n\n";
$msg .= "Message from $name:\n$message\n\n";
mail($to, $subject, $msg, "From: apryan website\nReply-To:$email\n");
This should protect from potential malicious PHP code from hi-jacking your form and using it to send spam to unknown numbers of users. If any code for altering the header information (and therefore who the form is sent to) is entered into your form fields, then that information is deleted. Otherwise, a spammer could potentially overwrite your "to" or BCC settings as well as any other variables they saw fit to do.

This won't prevent you specifically from getting spam via the form itself, since you're email is hard coded into it. You can slow that down by requiring a few fields and even creating a CAPTCHA (http://en.wikipedia.org/wiki/Captcha) image code that must be entered into a form field in order for the form to work.

thanks for that.^

would that be something that i could copy and paste into my code, or does it need editing.....as quite frankly i have no idea what any of it means.

It looks like you could copy/paste it, it uses all the same variable names, just chwecks them first.

I would backup your previous code though, just in case.

I would also add in:


//strips all html tags from a variable, so run every variable through it.
strip_tags(VARIABLE);

//and this which uses html safe character, just in case; with this all < turn to &lt; and so on
htmlspecialchars(VARIABLE, ENT_QUOTES);


So your new code would look like:

function clear_user_input($value) {

// Check for bad values:
if (stristr($value, 'content-type')) return '';
if (stristr($value, 'bcc:')) return '';
if (stristr($value, 'to:')) return '';
if (stristr($value, 'cc:')) return '';
if (stristr($value, 'href')) return '';


// Strip quotes, if Magic Quotes are on:
if (get_magic_quotes_gpc()) $value = stripslashes($value);

// Replace any newline characters with spaces:
$value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value);

//strips all html tags from a variable, so run every variable through it.
strip_tags($value);

//and this which uses html safe character, just in case; with this all < turn to &lt; and so on
htmlspecialchars($value, ENT_QUOTES);

// Return the value:
return trim($value);

}
$_SAFE_POST = array_map('clear_user_input', $_POST);

$name = $_SAFE_POST["name"];
$email = $_SAFE_POST["email"];
$number = $_SAFE_POST["number"];
$message = $_SAFE_POST["message"];
$to = "myemail@somewhere.com";
$subject = "website enquiry";
$msg = "$name has contacted you regarding your website. Their contact details are below:\n
email address- $email contact phone number- $number\n\n";
$msg .= "Message from $name:\n$message\n\n";
mail($to, $subject, $msg, "From: apryan website\nReply-To:$email\n");
?>

thanks for that betawar. i will try it out.

thanks for that.^

would that be something that i could copy and paste into my code, or does it need editing.....as quite frankly i have no idea what any of it means.

Like BetaWar said, it can be used as is (or with his additions). I just added the "cleaning code" to the top of what you had posted and then changed $_POST in your original code to $_SAFE_POST so that it would pick up the cleaned values from the form.

Even if you need add any fields to your form, there is no need to change anything in the top part of the code. It simply goes through and checks all values posted from your form (contained in the $_POST superglobal variable), cleans them if necessary, and then saves them into the $_SAFE_POST array. Just make sure you use $_SAFE_POST if you add any new form fields and variables instead of $_POST so that it pulls the cleaned up data from the $_SAFE_POST array.

Hope that makes sense...

rt

PS thanks for the addition BetaWar...I knew I was forgetting something! Off to add that to my site now. :)