Hi,

just wondering if i can get somehelp, i have recently set up a PHP site... since doing so the site has been "hacked" twice and my friend who i did the site for has recieved 10thousand junk emails a day!.... until the site has been taken off by pipex...

The second time i was told it is a problem with "formmail.cgi" script which was a free script that the hosting company gave as a free code download.....

has any body else heard of this? and what is thebest solution?

attached is the simple form that has caused the problems! and the script....

thanks for any help in advance!

thanks
Jp

    The problem with old formmail scripts was that in the HTML, you could specify who the recipient was supposed to be. So the owner of the web site would include a line in their HTML that said something like:
    <input type=hidden name=recipient value="me@mydomain.com">

    Then the hacker (spammer, actually) would post to the formmail script BUT they would include their own preferred value for the recipient. So they could use your formmail script to send mail to people. And if you were a spammer and wanted to send out 500 million pieces of mail, wouldn't it be nice to make it look like they came from mrsail's web site? Let them take the blame? And then when they sent out 500 million emails, some of those addresses would be shut off... so the mail would bounce back... to the owner of the site... your friend.

    So here's the solution: Erase formmail.cgi. Write your own in PHP instead (avoid the mistake made in the old formmail script). You already have the <form> written so you're half way there. You just need the second page. It's about 5 minutes work.

      thanks for your help on this, can you recommend a simple PHP form to use? I have looked into this and there are so many I gave up!... the form is very simple all i want is it to email the details on for each box filled in or ticked?..

      Thanks
      John

        Write your own. It'll only take a few lines of code.

        As etully said, you already have the HTML form. Set the action attribute of the <form> tag to post back to the same page. Then, at the top of that page, add some PHP code that checks to see whether the page was loaded as the result of a form post. If so, it will retrieve the data that was entered into the form, and send it to whomever you like, using the mail() function.

        This method is immune to the attack that's bitten you in the past, because the recipient's email address is stored in the PHP code on the server, rather than being provided by the client.

        Your code might look something like this:

        <?php

if ( $_POST["submit"] ) {

// we got here as the result of a form submission,
// so we'll process the form

// you might want to add some validation code here, to
// make sure the contents of the form are acceptable -
// or, use client-side Javascript to validate

// retrieve the form data
$name = $_POST["name"];
$color = $_POST["color"];
$fruit = $_POST["fruit"];
$animal = $_POST["animal"];

// build the email body
$email_body = "$name's favorite color is $favorite_color, his/her favorite fruit is $fruit, and his/her favorite animal is $animal!";

// send the email
mail( "recipient@somewhere.com", "My Favorite Things", $email_body );

// redirect to the confirmation page
header( "Location: confirmation_page.html" );

}

?>
          Write a Reply...