I am not too familiar with the way people hack into websites but am looking for some insite into the topic.
I put the following code on a friends site and he claims that his site was hacked due to this code. Can anyone tell me why?
What can I do to make my site safe?Code:<?php
function clean($data) {
$data = trim(stripslashes(strip_tags($data)));
return $data;
}
$exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload)/i";
foreach ($_POST as $key => $val) {
$c[$key] = clean($val);
if (preg_match($exploits, $val)) {
exit("<p>No exploits, please!</p>");
}
}
$show_form = true;
$error_msg = NULL;
if (isset($c['submit'])) {
if (empty($c['ChosDest']) || empty($c['firstname']) || empty($c['lastname']) || empty($c['email'])) {
$error_msg .= "Program Type, First Name, Last Name, and E-mail are required fields. \n";
} elseif (strlen($c['firstname']) > 25) {
$error_msg .= "The first name field is limited at 25 characters. \n";
} elseif (strlen($c['lastname']) > 40) {
$error_msg .= "The last name field is limited at 40 characters. \n";
} elseif (!ereg("^[A-Za-z' -]", $c['firstname'])) {
$error_msg .= "The first name field must not contain special characters. \n";
} elseif (!ereg("^[A-Za-z' -]", $c['lastname'])) {
$error_msg .= "The last name field must not contain special characters. \n";
} elseif ((strlen($c['location']) > 0) && !ereg("^[A-Za-z' -]", $c['location'])) {
$error_msg .= "The location field must not contain special characters. \n";
} elseif ((strlen($c['phone']) > 0) && !ereg("^[0-9 -]", $c['phone'])) {
$error_msg .= "The phone field can only contain numbers. \n";
} elseif (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$",strtolower($c['email']))) {
$error_msg .= "That is not a valid E-mail address. \n";
}
if ($error_msg == NULL) {
$show_form = false;
if (!empty($c['url']) && !ereg("^(http|https)", $c['url'])) {
$c['url'] = "http://" . $c['url'];
}
$subject = "Contact Us";
$message = "You received this e-mail message through the Contact Us feature on your website: \n\n";
foreach ($c as $key => $val) {
}
$message .= "Program Type: {$c['ChosDest']}\n" ;
$message .= "Name: {$c['firstname']} {$c['lastname']}\n" ;
$message .= "Location: {$c['location']}\n" ;
$message .= "Phone: {$c['phone']} \n" ;
$message .= "Email: {$c['email']}\n" ;
$message .= "Comments: {$c['comments']}\n\n\n" ;
$message .= "Sumbitted from IP: {$_SERVER['REMOTE_ADDR']} \n";
//$message .= "Browser: {$_SERVER['HTTP_USER_AGENT']}";
if (strstr($_SERVER['SERVER_SOFTWARE'], "Win")) {
$headers = "From: Website <[email protected]> \n";
$headers .= "Reply-To: {$c['email']}";
} else {
$headers = "From: Website <[email protected]> \n";
$headers .= "Reply-To: {$c['email']}";
}
$recipient = "[email protected]";
if (mail($recipient,$subject,$message,$headers)) {
echo "<p>Your information was successfully sent. <br><br> <font size=+1 color=#ac2b31>Thank You for Contacting Us!</font> <br><br>Someone will be responding to your inquiry shortly</p>";
} else {
echo "<p>Your information could not be sent this time. Please try again!</p>";
}
}
}
if (!isset($c['submit']) || $show_form == true) {
function get_data($var) {
global $c;
if (isset($c[$var])) {
echo $c[$var];
}
}
if ($error_msg != NULL) {
echo "<p><strong style='color: red;'>ERROR:</strong><br />";
echo nl2br($error_msg) . "</p>";
}
?>
Any help is greatly appreciated.
