I recently wrote some very simple code for a prank site and It's been having problems.
The user goes to this site, enters a bunch of info about a friend, and it emails them a link to a fake news story... nothing new. Anyways, Someone's been abusing it, and I need help on how to secure it.
the site is newspaper.freakycowbot.com and I'd love if someone could tell me what to do.
here's some snippets of code from the site to help a little
This is the form where the user input their friends info:
<FORM action="fake.php" method="GET">
<b>Victim's E-mail:</b><br>
<INPUT type="text" style="border-width: 1; border: solid #000000 1px; font-size: 9pt; font-family: verdana;" name="email" size="30" value="Bob@aol.com" maxlength="50">
<br><br>
<b>Victim's First Name:</b><br>
<INPUT type="text" style="border-width: 1; border: solid #000000 1px; font-size: 9pt; font-family: verdana;" name="fn" size="25" value="Joe" maxlength="30">
<br><br>
<b>Victim's Last Name:</b><br>
<INPUT type="text" style="border-width: 1; border: solid #000000 1px; font-size: 9pt; font-family: verdana;" name="ln" size="25" value="Blo" maxlength="30">
<br><br>
<b>Victim's City:</b><br>
<INPUT type="text" style="border-width: 1; border: solid #000000 1px; font-size: 9pt; font-family: verdana;" name="ci" size="25" value="Anaheim" maxlength="40">
<br><br>
<b>Victim's State/Country:</b><br>
<INPUT type="text" style="border-width: 1; border: solid #000000 1px; font-size: 9pt; font-family: verdana;" name="st" size="25" value="California" maxlength="30">
<br><br>
<b>Fake Quote From Victim:</b><br>
<INPUT type="text" style="border-width: 1; border: solid #000000 1px; font-size: 9pt; font-family: verdana;" name="qu" size="55" value="I ate my underpants!" maxlength="50">
<br><br>
<INPUT type="submit" value="Next Step" name="news1"><br>
Here's how it emails it:
<?
$find = array ("/ /");
$replace = array ("+");
$link = 'http://newspaper.freakycowbot.com/news.php?fn='.ucwords($GET["fn"]).'&ln='.ucwords($GET["ln"]).'&ci='.ucwords($GET["ci"]).'&st='.ucwords($GET["st"]).'&qu='.ucfirst($GET["qu"]).'&article='.$GET["article"].'&sex='.$GET["sex"];
$link = preg_replace($find,$replace,$link);
$article = $GET["article"];
$email = strip_tags(trim($GET["email"]));
$subject = 'FCB News - Friend referral';
$body = '<h3><u>FCB News</u></h3>'."<br>".'Our top news story may be of interest to you '.strip_tags(trim($GET["fn"]))."<br>".' A friend of yours found it and thought you might be interested in it.'."<br><br>".'The article is <a href='.$link.'><b>'.$article.'</b></a>';
$body2 = 'FCB News '."\n".' Our top news story may of interset to you '.strip_tags(trim($_GET["fn"]))."\n".' A friend of yours found it and thought you might be interrested in it.'."\n\n".'The article is entitled '.$article.' and can be found at'."\n".' '.$link;
$from = "From: news@freakycowbot.com\nX-Mailer: Tell a Friend Script\n";
?>
<?php
//add From: header
$headers = "From: news@freakycowbot.com\r\n";
//specify MIME version 1.0
$headers .= "MIME-Version: 1.0\r\n";
//unique boundary
$boundary = uniqid("fcbnews");
//tell e-mail client this e-mail contains//alternate versions
$headers .= "Content-Type: multipart/alternative" .
"; boundary = $boundary\r\n\r\n";
//message to people with clients who don't
//understand MIME
$headers .= "This is a MIME encoded message.\r\n\r\n";
//plain text version of message
$headers .= "--$boundary\r\n" .
"Content-Type: text/plain; charset=ISO-8859-1\r\n" .
"Content-Transfer-Encoding: base64\r\n\r\n";
$headers .= chunk_split(base64_encode($body2));
//HTML version of message
$headers .= "--$boundary\r\n" .
"Content-Type: text/html; charset=ISO-8859-1\r\n" .
"Content-Transfer-Encoding: base64\r\n\r\n";
$headers .= chunk_split(base64_encode($body));
//send message
mail($email, $subject, "", $headers);
?>
Anyone know how I can secure this?
