simenss Skrevet 6. februar 2007 Del Skrevet 6. februar 2007 Jeg har i det siste opplevd et par tilfeller hvor noen benytter kontaktskjemaet på min webside til å sende ut spam. Har gjort noen tiltak, men til ingen nytte. Skriptet jeg bruker er et "ferdigscript" som automatisk sender alle felter jeg legger til i HTML-skjemaet. Den originale koden finner du under. Klikk for å se/fjerne innholdet nedenfor <? // ########################################################################## // ########################################################################## // // DynaForm v1.4 - Created by the Webligo Group // http://www.webligo.com // // YOUR USE OR DISTRIBUTION OF THIS SOFTWARE CONSTITUTES YOUR ACCEPTANCE // OF THE FOLLOWING LICENSE AGREEMENT: // // THIS SCRIPT AND ALL OF ITS CONTENTS ARE LICENSED UNDER THE // GPL FREEWARE LICENSE. IT MAY NOT BE RESOLD OUR USED COMMERCIALLY // WITHOUT EXPRESSED PERMISSION OF THE WEBLIGO GROUP. IT MAY, HOWEVER, // BE DISTRIBUTED FREELY WITHOUT CHARGE. THIS SOFTWARE IS INTELLECTUAL // PROPERTY OF THE WEBLIGO GROUP. ANYONE VIOLATING THIS AGREEMENT WITHOUT // THE EXPRESSED PERMISSION OF THE WEBLIGO GROUP MAY BE LEGALLY PROSECUTED. // YOUR DOWNLOAD AND USE OF THIS SOFTWARE ALSO SIGNIFIES THAT YOU UNDERSTAND // AND AGREE TO THE DOWNLOAD AGREEMENT YOU READ UPON DOWNLOAD. // // The Webligo Group, its management, or any of its employees, associates, or // partners cannot be held liable for any damages that this software may cause. // As the Licensee and user of the software, you agree to accept full liability // for any damages or risk involved with using this software. // // If you need help installing or using this software, please // read the readme.txt file that was provided with it. // // This file and all related content are the intellectual // property of the Webligo Group and are under copyright. // // If you plan to use this script for your clients, sell it as a service, // or utilize it in any other commercial manner, you must purchase a commercial // license. Please see this page for more information: // http://webligo.com/products_dynaform.php // // We do not provide support for this script, unless you have purchased a // commercial license. // // Feel free to visit our website (http://www.webligo.com) // if you wish to send us any comments, etc. // // ########################################################################### // ########################################################################### // ########################################################################### // #### CONFIGURE FROM: ADDRESS ############################################## // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // If you would like to specify the From: address of emails sent by DynaForm, // enter it between the double quotes below. If you leave this blank, the // server will assign the default email address. $from_address = ""; // ########################################################################### // ########################################################################### // ########################################################################### // #### ACTIVATE REQUIRED FIELDS? ############################################ // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // If you would like to make some fields of your form required, change "no" to // "yes" below. $required_on = "no"; // If you have set $required_on to "yes" above, you can make fields required // by beginning their name with "r_". For example, if you want to require // a user to enter their name, use the following HTML: // // <input type='text' name='r_Name'> // // If a user fails to enter a required field, they will be taken to a page // where a message such as "You have not completed all the required fields." // will be displayed. Please specify the URL to this file below: $required_errorpage = "error.html"; // ########################################################################### // ########################################################################### // ########################################################################### // #### OVERRIDE REQUIRED VARIABLES? ######################################### // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. NOTE: THIS WILL NOT // AFFECT YOUR 'TURN ON REQUIRED FIELDS?' SECTION SETTINGS ABOVE. // // If you would like to override the three required variables in // order to hide your email address, email subject, and thank you page // URL from your email form, change "no" to "yes" below. $override = "no"; // If override is set to "yes", the hidden variables on your HTML // email form named "rec_mailto", "rec_subject", and "rec_thanks" will be // overridden and can therefore be removed from the form. // If you have set override to "yes" above, you must specify new values for // each of these variables below. // Enter the email address(es) to send the email to. $incoming_mailto = "[email protected]"; // Enter the email subject. $incoming_subject = "You have a new message from your DynaForm."; // Enter the thank you page URL. $incoming_thanks = "thanks.html"; // ########################################################################### // ########################################################################### // ########################################################################### // #### BAN IP ADDRESSES? #################################################### // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // If you would like to ban certain IP addresses from submitting your form, // change "no" to "yes" below. $ban_ip_on = "no"; // If you have set $ban_ip_on to "yes" above, please enter a list of the // IP addresses you would like to ban, seperated only by commas. // An example has been provided below: $ban_ip_list = "111.222.33.55,11.33.777.99"; // ########################################################################### // ########################################################################### // ########################################################################### // #### ACTIVATE DOMAIN SECURITY? ############################################ // // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // This setting, when set to "yes" (default), will check to make sure other // people are not submitting data to your dynaform.php file from their // external domains. This means that if your domain name is "www.mysite.com", // only forms on "www.mysite.com" will be able to use this dynaform.php. // IF YOU ARE RECEIVING ERRORS SUCH AS "INVALID DOMAIN" FOR NO REASON, PLEASE // CHANGE "yes" TO "no" BELOW. $secure_domain_on = "yes"; // ########################################################################### // ########################################################################### // ########################################################################### // #### ACTIVATE AUTO-RESPONSE? ############################################## // // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // This setting, when set to "yes", will make DynaForm automatically reply to // the user who submitted your form with an email message. If you would like // to use this feature, change "no" to "yes" below. $autorespond_on = "no"; // If you have set $autorespond_on to "yes" above, you must specify a subject, // from-address, and message to include in the auto-response email. // The following setting is the subject of the auto-response email: $autorespond_subject = "Your Form Submission"; // The following setting is the from-address of the auto-respond email: $autorespond_from = "[email protected]"; // The following setting is the message of your auto-response email: $autorespond_contents = "Your submission from our website has been received. Thank you!"; // DynaForm also needs to know how to retrieve the user's email address. // You must specify the name of the field into which the user will enter // their email address. For example, if your email form contains an input // field like "<input type='text' name='Email'>" you would set the // following setting to "Email". $autorespond_mailto_field = "Email"; // ########################################################################### // ########################################################################### // MAKE SURE DYNAFORM IS NOT BEING LOADED FROM THE URL if($_SERVER['REQUEST_METHOD'] == "GET") { echo " <html> <head><title>Webligo PHP DynaForm is installed correctly.</title></head> <body> <font style='font-family: verdana, arial; font-size: 9pt;'> <b>DynaForm is installed correctly.</b></font><br> <font style='font-family: verdana, arial; font-size: 8pt;'> DynaForm Easy PHP Form Mailer was created by <a href='http://www.webligo.com'>Webligo Developments</a>. </font> </body></html> "; exit(); } // SET VARIABLES $incoming_fields = array_keys($_POST); $incoming_values = array_values($_POST); if($override == "no") { $incoming_mailto = $_POST['rec_mailto']; $incoming_subject = $_POST['rec_subject']; $incoming_thanks = $_POST['rec_thanks']; } $incoming_mailto_cc = $_POST['opt_mailto_cc']; $incoming_mailto_bcc = $_POST['opt_mailto_bcc']; $form_url = $_POST[HTTP_REFERER]; // MAKE SURE DYNAFORM IS BEING RUN FROM THE RIGHT DOMAIN if($secure_domain_on == "yes") { $form_url_array = parse_url($form_url); $form_domain = $form_url_array[host]; if($form_domain != $_SERVER[HTTP_HOST]) { echo "<h2>DynaForm Error - Invalid Domain</h2> You have accessed DynaForm from an external domain - this is not allowed.<br> You may only submit forms to a DynaForm file that exists on the same domain name.<br> If you believe to be receiving this message in error, please refer to your readme.txt file. <br><br>"; $error = "yes"; } } // CHECK IF MAILTO IS SET if($incoming_mailto == "") { echo "<h2>DynaForm Error - Missing Field</h2> Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include the required \"<b>rec_mailto</b>\" field within the form. This field specifies who the email will be sent to. <br><br> This should look like:<br> <input type=\"hidden\" name=\"rec_mailto\" value=\"[email protected]\"> <br><br> If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br> "; $error = "yes"; } // CHECK IF SUBJECT IS SET if($incoming_subject == "") { echo "<h2>DynaForm Error - Missing Field</h2> Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include the required \"<b>rec_subject</b>\" field within the form. This field specifies the subject of the email that will be sent. <br><br> This should look like:<br> <input type=\"hidden\" name=\"rec_subject\" value=\"New DynaForm Email\"> <br><br> If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br> "; $error = "yes"; } // CHECK IF THANKS IS SET if($incoming_thanks == "") { echo "<h2>DynaForm Error - Missing Field</h2> Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include the required \"<b>rec_thanks</b>\" field within the form. This field specifies what page the user will be taken to after they submit the form. <br><br> This should look like:<br> <input type=\"hidden\" name=\"rec_thanks\" value=\"thanks.html\"> <br><br> If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br> "; $error = "yes"; } // CHECK IF IP ADDRESS IS BANNED if($ban_ip_on == "yes") { if(strstr($ban_ip_list, $_SERVER[REMOTE_ADDR])) { echo "<h2>DynaForm Error - Banned IP</h2> You cannot use this form because your IP address has been banned by the administrator.<br> "; $error = "yes"; } } if($error == "yes") { exit(); } // SET EMAIL INTRODUCTION $message = "This email was received from your DynaForm located at $form_url \n\n"; // LOAD EMAIL CONTENTS for ($i = 0; $i < count($incoming_fields); $i++) { if($incoming_fields[$i] != "rec_mailto") { if($incoming_fields[$i] != "rec_subject") { if($incoming_fields[$i] != "rec_thanks") { if($incoming_fields[$i] != "opt_mailto_cc") { if($incoming_fields[$i] != "opt_mailto_bcc") { // CHECK FOR REQUIRED FIELDS IF ACTIVATED if($required_on == "yes") { $sub = substr($incoming_fields[$i], 0, 2); if($sub == "r_") { if($incoming_values[$i] == "" OR !isset($incoming_values[$i]) OR $incoming_values[$i] == " ") { header("Location: $required_errorpage"); exit(); }}} // ADD FIELD TO OUTGOING MESSAGE $message .= "$incoming_fields[$i]:\n$incoming_values[$i]\n\n"; }}}}}} // SET EMAIL FOOTER $message .= "\n\nThank you for using our Webligo DynaForm script.\nWe ask that you please link back to our site if you have not already.\nYour use of DynaForm is subject to the license agreement outlined in dynaform.php.\nVisit us at: http://www.webligo.com"; // CLEAR HEADERS $headers = ""; // ADD FROM ADDRESS if($from_address != "") { $headers .= "From: $from_address\r\n"; } // CHECK FOR CC OR BCC if($incoming_mailto_cc != "") { $headers .= "Cc: $incoming_mailto_cc\r\n"; } if($incoming_mailto_bcc != "") { $headers .= "Bcc: $incoming_mailto_bcc\r\n"; } // SEND EMAIL mail($incoming_mailto, $incoming_subject, $message, $headers); // SEND AUTO-RESPONSE IF ACTIVATED if($autorespond_on == "yes") { $autorespond_mailto = $_POST[$autorespond_mailto_field]; $autorespond_headers = "From: $autorespond_from"; mail($autorespond_mailto, $autorespond_subject, $autorespond_contents, $autorespond_headers); } // FORWARD TO THANK YOU PAGE header("Location: $incoming_thanks"); ?> I tillegg har jeg en funksjon som sikrer at scriptet kun sender en e-mail om dataene kommer fra min egen server. Koden under har jeg i toppen av scriptet: Klikk for å se/fjerne innholdet nedenfor if(!empty($_GET)) {extract($_GET); } else if(!empty($HTTP_GET_VARS)) { extract($HTTP_GET_VARS); } if(!empty($_POST)) { extract($_POST); } else if(!empty($HTTP_POST_VARS)) { extract($HTTP_POST_VARS); } Finnes det noen spesielle eller grunnleggende tiltak jeg kan gjøre for å sikre scriptet mot spam? Lenke til kommentar
xqus Skrevet 6. februar 2007 Del Skrevet 6. februar 2007 Så vidt jeg ser sendes adressen mailen skal sendes til som en POST data. Med andre ord kan man sende mail til hvem man vil. Slike ting blir utnyttet. Lenke til kommentar
simenss Skrevet 7. februar 2007 Forfatter Del Skrevet 7. februar 2007 Så vidt jeg ser sendes adressen mailen skal sendes til som en POST data. Med andre ord kan man sende mail til hvem man vil. Slike ting blir utnyttet. 7887505[/snapback] Jeg postet feil script Postet det originale scriptet hvor jeg ikke hadde gjort enringer. Her er scriptet jeg har endret, og der ser du at jeg ikke lar brukeren få mulighet til å endre mottaker: Klikk for å se/fjerne innholdet nedenfor <? session_start(); if(!empty($_GET)) { extract($_GET); } else if(!empty($HTTP_GET_VARS)) { extract($HTTP_GET_VARS); } if(!empty($_POST)) { extract($_POST); } else if(!empty($HTTP_POST_VARS)) { extract($HTTP_POST_VARS); } if($_SESSION['secure_mail']!=$_POST['form_id']) { header("Location: http://www.example.com/index.php?side=mailform-error"); } require('mysqlconnect.php'); // ########################################################################## // ########################################################################## // // DynaForm v1.3 - Created by the Webligo Group // http://www.webligo.com // // YOUR USE OR DISTRIBUTION OF THIS SOFTWARE CONSTITUTES YOUR ACCEPTANCE // OF THE FOLLOWING LICENSE AGREEMENT: // // THIS SCRIPT AND ALL OF ITS CONTENTS ARE LICENSED UNDER THE // GPL FREEWARE LICENSE. IT MAY NOT BE RESOLD OUR USED COMMERCIALLY // WITHOUT EXPRESSED PERMISSION OF THE WEBLIGO GROUP. IT MAY, HOWEVER, // BE DISTRIBUTED FREELY WITHOUT CHARGE. THIS SOFTWARE IS INTELLECTUAL // PROPERTY OF THE WEBLIGO GROUP. ANYONE VIOLATING THIS AGREEMENT WITHOUT // THE EXPRESSED PERMISSION OF THE WEBLIGO GROUP MAY BE LEGALLY PROSECUTED. // YOUR DOWNLOAD AND USE OF THIS SOFTWARE ALSO SIGNIFIES THAT YOU UNDERSTAND // AND AGREE TO THE DOWNLOAD AGREEMENT YOU READ UPON DOWNLOAD. // // The Webligo Group, its management, or any of its employees, associates, or // partners cannot be held liable for any damages that this software may cause. // As the Licensee and user of the software, you agree to accept full liability // for any damages or risk involved with using this software. // // If you need help installing or using this software, please // read the readme.txt file that was provided with it. // // This file and all related content are the intellectual // property of the Webligo Group and are under copyright. // // If you plan to use this script for your clients, sell it as a service, // or utilize it in any other commercial manner, you must purchase a commercial // license. Please contact us at http://www.webligo.com for more information. // // We do not provide support for this script, unless you have purchased it for // commercial purposes. // // Feel free to visit our website (http://www.webligo.com) // if you wish to send us any comments, etc. // // ########################################################################### // ########################################################################### // ########################################################################### // #### ACTIVATE REQUIRED FIELDS? ############################################ // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // If you would like make some fields of your form required, change "no" to // "yes" below. $required_on = "no"; // If you have set $required_on to "yes" above, you can make fields required // by beginning their name with "r_". For example, if you want to require // a user to enter their name, use the following HTML: // // <input type='text' name='r_Name'> // // If a user fails to enter a required field, they will be taken to a page // where a message such as "You have not completed all the required fields." // will be displayed. Please specify the URL to this file below: $required_errorpage = "../index.php?side=mailform-error&sted=Kontakt"; // ########################################################################### // ########################################################################### // ########################################################################### // #### OVERRIDE REQUIRED VARIABLES? ######################################### // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. NOTE: THIS WILL NOT // AFFECT YOUR 'TURN ON REQUIRED FIELDS?' SECTION SETTINGS ABOVE. // // If you would like to override the three required variables in // order to hide your email address, email subject, and thank you page // URL from your email form, change "no" to "yes" below. $override = "yes"; // If override is set to "yes", the hidden variables on your HTML // email form named "rec_mailto", "rec_subject", and "rec_thanks" will be // overridden and can therefore be removed from the form. // If you have set override to "yes" above, you must specify new values for // each of these variables below. // Enter the email address(es) to send the email to. if($_POST['til']!='oogi') { $persons_sql = mysql_query("SELECT * FROM personer WHERE id='".$_POST['til']."'"); $persons_array = mysql_fetch_array($persons_sql); $incoming_mailto = $persons_array['mail']; } else { $incoming_mailto = '[email protected]'; } if(!eregi('@', $incoming_mailto)) { $incoming_mailto = '[email protected]'; } // Enter the email subject. $incoming_subject = "Example"; // Enter the thank you page URL. $incoming_thanks = '../index.php?id=message&text='.$_POST['text'].'&header='.$_POST['header']; // ########################################################################### // ########################################################################### // ########################################################################### // #### BAN IP ADDRESSES? #################################################### // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // If you would like to ban certain IP addresses from submitting your form, // change "no" to "yes" below. $ban_ip_on = "no"; // If you have set $ban_ip_on to "yes" above, please enter a list of the // IP addresses you would like to ban, seperated only by commas. // An example has been provided below: $ban_ip_list = "111.222.33.55,11.33.777.99"; // ########################################################################### // ########################################################################### // ########################################################################### // #### ACTIVATE DOMAIN SECURITY? ############################################ // // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // This setting, when set to "yes" (default), will check to make sure other // people are not submitting data to your dynaform.php file from their // external domains. This means that if your domain name is "www.mysite.com", // only forms on "www.mysite.com" will be able to use this dynaform.php. // IF YOU ARE RECEIVING ERRORS SUCH AS "INVALID DOMAIN" FOR NO REASON, PLEASE // CHANGE "yes" TO "no" BELOW. $secure_domain_on = "no"; // ########################################################################### // ########################################################################### // ########################################################################### // #### ACTIVATE AUTO-RESPONSE? ############################################## // // THIS AREA IS OPTIONAL. ONLY TOUCH THESE SETTINGS IF YOU KNOW WHAT YOU ARE // DOING. PLEASE READ README.TXT FOR MORE INFORMATION. // // This setting, when set to "yes", will make DynaForm automatically reply to // the user who submitted your form with an email message. If you would like // to use this feature, change "no" to "yes" below. $autorespond_on = "no"; // If you have set $autorespond_on to "yes" above, you must specify a subject, // from-address, and message to include in the auto-response email. // The following setting is the subject of the auto-response email: $autorespond_subject = "Bekreftelse"; // The following setting is the from-address of the auto-respond email: $autorespond_from = $mailto; // The following setting is the message of your auto-response email: $autorespond_contents = "Din mail er sendt inn! Vi vil behandle den så fort som mulig.\n\nHilsen Example\nwww.example.com"; // DynaForm also needs to know how to retrieve the user's email address. // You must specify the name of the field into which the user will enter // their email address. For example, if your email form contains an input // field like "<input type='text' name='Email'>" you would set the // following setting to "Email". $autorespond_mailto_field = $Email; // ########################################################################### // ########################################################################### // MAKE SURE DYNAFORM IS NOT BEING LOADED FROM THE URL if($HTTP_SERVER_VARS['REQUEST_METHOD'] == "GET") { echo " <html> <head><title>DynaForm is installed correctly.</title></head> <body> <font style='font-family: verdana, arial; font-size: 9pt;'> <b>DynaForm is installed correctly.</b></font> </body></html> "; exit(); } // SET VARIABLES $incoming_fields = array_keys($HTTP_POST_VARS); $incoming_values = array_values($HTTP_POST_VARS); if($override == "no") { $incoming_mailto = @$HTTP_POST_VARS['rec_mailto']; $incoming_subject = @$HTTP_POST_VARS['rec_subject']; $incoming_thanks = @$HTTP_POST_VARS['rec_thanks']; } $incoming_mailto_cc = @$HTTP_POST_VARS['opt_mailto_cc']; $incoming_mailto_bcc = @$HTTP_POST_VARS['opt_mailto_bcc']; $form_url = @$HTTP_REFERER; // MAKE SURE DYNAFORM IS BEING RUN FROM THE RIGHT DOMAIN if($secure_domain_on == "yes") { $form_url_array = parse_url($form_url); $form_domain = $form_url_array[host]; if($form_domain != $HTTP_SERVER_VARS[HTTP_HOST]) { echo "<h2>DynaForm Error - Invalid Domain</h2> You have accessed DynaForm from an external domain - this is not allowed.<br> You may only submit forms to a DynaForm file that exists on the same domain name.<br> If you believe to be receiving this message in error, please refer to your readme.txt file. <br><br>"; $error = "yes"; } } // CHECK IF MAILTO IS SET if($incoming_mailto == "") { echo "<h2>DynaForm Error - Missing Field</h2> Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include the required \"<b>rec_mailto</b>\" field within the form. This field specifies who the email will be sent to. <br><br> This should look like:<br> <input type=\"hidden\" name=\"rec_mailto\" value=\"[email protected]\"> <br><br> If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br> "; $error = "yes"; } // CHECK IF SUBJECT IS SET if($incoming_subject == "") { echo "<h2>DynaForm Error - Missing Field</h2> Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include the required \"<b>rec_subject</b>\" field within the form. This field specifies the subject of the email that will be sent. <br><br> This should look like:<br> <input type=\"hidden\" name=\"rec_subject\" value=\"New DynaForm Email\"> <br><br> If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br> "; $error = "yes"; } // CHECK IF THANKS IS SET if($incoming_thanks == "") { echo "<h2>DynaForm Error - Missing Field</h2> Your form located at <a href='$form_url'>$form_url</a> does not work because you forgot to include the required \"<b>rec_thanks</b>\" field within the form. This field specifies what page the user will be taken to after they submit the form. <br><br> This should look like:<br> <input type=\"hidden\" name=\"rec_thanks\" value=\"thanks.html\"> <br><br> If you are still confused, please refer to the readme.txt for more information and examples.<br><br><br><br> "; $error = "yes"; } // CHECK IF IP ADDRESS IS BANNED if($ban_ip_on == "yes") { if(strstr($ban_ip_list, $HTTP_SERVER_VARS[REMOTE_ADDR])) { echo "<h2>DynaForm Error - Banned IP</h2> You cannot use this form because your IP address has been banned by the administrator.<br> "; $error = "yes"; } } if($error == "yes") { exit(); } // SET EMAIL INTRODUCTION $message = ""; // LOAD EMAIL CONTENTS for ($i = 0; $i < count($incoming_fields); $i++) { if($incoming_fields[$i] != "rec_mailto") { if($incoming_fields[$i] != "rec_subject") { if($incoming_fields[$i] != "rec_thanks") { if($incoming_fields[$i] != "opt_mailto_cc") { if($incoming_fields[$i] != "opt_mailto_bcc") { // CHECK FOR REQUIRED FIELDS IF ACTIVATED if($required_on == "yes") { $sub = substr($incoming_fields[$i], 0, 2); if($sub == "r_") { if($incoming_values[$i] == "" OR !isset($incoming_values[$i]) OR $incoming_values[$i] == " ") { header("Location: $required_errorpage"); exit(); }}} // ADD FIELD TO OUTGOING MESSAGE $message .= "$incoming_fields[$i]:\n$incoming_values[$i]\n\n"; }}}}}} // SET EMAIL FOOTER $message .= ""; // CHECK FOR CC OR BCC $headers = ""; if($incoming_mailto_cc != "") { $headers .= "Cc: $incoming_mailto_cc\r\n"; } if($incoming_mailto_bcc != "") { $headers .= "Bcc: $incoming_mailto_bcc\r\n"; } $headers = "From: ".$_POST['Navn']." <".$_POST['e-mail'].">\r\n"; // SEND EMAIL mail($incoming_mailto, $incoming_subject, $message, $headers); // SEND AUTO-RESPONSE IF ACTIVATED if($autorespond_on == "yes") { $autorespond_mailto = @$HTTP_POST_VARS[$autorespond_mailto_field]; $autorespond_headers = "From: $autorespond_from"; mail($autorespond_mailto, $autorespond_subject, $autorespond_contents, $autorespond_headers); } // FORWARD TO THANK YOU PAGE header("Location: $incoming_thanks"); ?> For å sikre scriptet har jeg lagt de adressene som kan kontaktes, inn i en database. Brukeren velger hvem han/hun vil kontakte, f.eks. "Simen" skjemaet henter opp adressen med navnet "Simen" fra databasen. Likevel klarer noen å endre mottaker Lenke til kommentar
ilpostino Skrevet 7. februar 2007 Del Skrevet 7. februar 2007 nå har ikke jeg tittet så nøye på koden men du bruker en drop-down-box, ikkesant? Lenke til kommentar
simenss Skrevet 8. februar 2007 Forfatter Del Skrevet 8. februar 2007 nå har ikke jeg tittet så nøye på koden men du bruker en drop-down-box, ikkesant? 7891468[/snapback] Ja, det er en liste over personene som kan kontaktes. Lenke til kommentar
ZoRaC Skrevet 8. februar 2007 Del Skrevet 8. februar 2007 Det er det som er problemet, for det er ikke noe som hindrer noen i å lagre filen på egen pc og endre det om til en input-box... Du burde ha mottakere som IDer og en tabell med adressene. Lenke til kommentar
simenss Skrevet 8. februar 2007 Forfatter Del Skrevet 8. februar 2007 Det er det som er problemet, for det er ikke noe som hindrer noen i å lagre filen på egen pc og endre det om til en input-box... Du burde ha mottakere som IDer og en tabell med adressene. 7901301[/snapback] Se på utdraget under: Klikk for å se/fjerne innholdet nedenfor // Enter the email address(es) to send the email to. if($_POST['til']!='oogi') { $persons_sql = mysql_query("SELECT * FROM personer WHERE id='".$_POST['til']."'"); $persons_array = mysql_fetch_array($persons_sql); $incoming_mailto = $persons_array['mail']; } else { $incoming_mailto = '[email protected]'; } if(!eregi('@', $incoming_mailto)) { $incoming_mailto = '[email protected]'; } Brukeren velger en person han/hun vil kontakte i skjermaet, men det er personens ID som blir sendt ($_POST['til']). $_POST['til'] sjekkes opp mot en database. E-posten til personen som en knyttet til denne ID'en blir hentet ut, og plassert i variablen $incoming_mailto. Dette skulle da være sikkert? Lenke til kommentar
The_Lozer Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 sett en cookie eller som begrenser til å sende en mail i døgnet eller noe? Lenke til kommentar
Runar0 Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 sett en cookie eller som begrenser til å sende en mail i døgnet eller noe? 7907982[/snapback] Er ingen problem for en spam bot eller lignende og droppe å sende cookiene til serveren når den sender emailen. Lenke til kommentar
The_Lozer Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 sett en cookie eller som begrenser til å sende en mail i døgnet eller noe? 7907982[/snapback] Er ingen problem for en spam bot eller lignende og droppe å sende cookiene til serveren når den sender emailen. 7908460[/snapback] lag en session da.. Lenke til kommentar
Runar0 Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 sett en cookie eller som begrenser til å sende en mail i døgnet eller noe? 7907982[/snapback] Er ingen problem for en spam bot eller lignende og droppe å sende cookiene til serveren når den sender emailen. 7908460[/snapback] lag en session da.. 7908830[/snapback] Session bruker vel en cookie for å identifisere brukeren, vist cookien blir blocka blir phpsessionid lagt til på linkene som igjen kan fjernest av boten. Men vi er vel litt off topic her Lenke til kommentar
trrunde Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 legg det inn i en database, med ip og dato så kjører du en spørring som sjekker om det er gått 1 dag Lenke til kommentar
The_Lozer Skrevet 10. februar 2007 Del Skrevet 10. februar 2007 sett en cookie eller som begrenser til å sende en mail i døgnet eller noe? 7907982[/snapback] Er ingen problem for en spam bot eller lignende og droppe å sende cookiene til serveren når den sender emailen. 7908460[/snapback] lag en session da.. 7908830[/snapback] Session bruker vel en cookie for å identifisere brukeren, vist cookien blir blocka blir phpsessionid lagt til på linkene som igjen kan fjernest av boten. Men vi er vel litt off topic her 7908977[/snapback] en session lagres på serveren. Lenke til kommentar
xqus Skrevet 10. februar 2007 Del Skrevet 10. februar 2007 sett en cookie eller som begrenser til å sende en mail i døgnet eller noe? 7907982[/snapback] Er ingen problem for en spam bot eller lignende og droppe å sende cookiene til serveren når den sender emailen. 7908460[/snapback] lag en session da.. 7908830[/snapback] Session bruker vel en cookie for å identifisere brukeren, vist cookien blir blocka blir phpsessionid lagt til på linkene som igjen kan fjernest av boten. Men vi er vel litt off topic her 7908977[/snapback] en session lagres på serveren. 7910639[/snapback] Veldig Off-topic. Men selv om session lagres på serveren. Brukes en cookie for å fortelle serveren hvilken session man hører til. En slik spambot støtter neppe cookies, og i så fall er de deaktivert. Derfor, vet ikke serveren hvilkne session som hører til neste request, og han får en ny session.. som også droppes av boten. Lenke til kommentar
simenss Skrevet 10. februar 2007 Forfatter Del Skrevet 10. februar 2007 Jeg benytter sessions skjema.php Her legges et tilfeldig tall i en session. Dette talles sendes også fra skjemaet som "synlig data". epost.php Her sjekker en funksjon om tallet fra skjemaet stemmer overens med gitt session. Likevel klarer noen å utnytte scriptet. Lenke til kommentar
Runar0 Skrevet 10. februar 2007 Del Skrevet 10. februar 2007 Wildguess, ka skjer vist noen ikkje sender session cookien og setter koden i skjemaet til "" ? vil da session = skjema info eller skjekker du at sessionen er satt ? Lenke til kommentar
simenss Skrevet 12. februar 2007 Forfatter Del Skrevet 12. februar 2007 Wildguess, ka skjer vist noen ikkje sender session cookien og setter koden i skjemaet til "" ? vil da session = skjema info eller skjekker du at sessionen er satt ? 7915621[/snapback] Det er sant Lenke til kommentar
olemedkrutt Skrevet 12. februar 2007 Del Skrevet 12. februar 2007 Jeg har ikke sett på koden, men jeg tipper problemet er at du ikke filtrer From feltet, hvis du ikke gjør det kan folk sette inn nye headere: From:[email protected] Cc:[email protected] Lenke til kommentar
simenss Skrevet 12. februar 2007 Forfatter Del Skrevet 12. februar 2007 Jeg har ikke sett på koden, men jeg tipper problemet er at du ikke filtrer From feltet, hvis du ikke gjør det kan folk sette inn nye headere: From:[email protected] Cc:[email protected] 7926350[/snapback] Jeg har nå lagt til følgende kode: if(!eregi("^[+_\.\'0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,4}$", $_POST['e-mail'])) { header("Location: http://www.example.com/error.php"); exit; } $headers = "From: ".$_POST['e-mail']."\r\n"; Vil dette hindre missbruk? Lenke til kommentar
simenss Skrevet 12. februar 2007 Forfatter Del Skrevet 12. februar 2007 (endret) Dobbeltpost... Endret 12. februar 2007 av simenss Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå