I am not too familiar with the way people hack into websites but am looking for some insite into the topic.
I put the following code on a friends site and he claims that his site was hacked due to this code. Can anyone tell me why?
What can I do to make my site safe?Code:<?php function clean($data) { $data = trim(stripslashes(strip_tags($data))); return $data; } $exploits = "/(content-type|bcc:|cc:|document.cookie|onclick|onload)/i"; foreach ($_POST as $key => $val) { $c[$key] = clean($val); if (preg_match($exploits, $val)) { exit("<p>No exploits, please!</p>"); } } $show_form = true; $error_msg = NULL; if (isset($c['submit'])) { if (empty($c['ChosDest']) || empty($c['firstname']) || empty($c['lastname']) || empty($c['email'])) { $error_msg .= "Program Type, First Name, Last Name, and E-mail are required fields. \n"; } elseif (strlen($c['firstname']) > 25) { $error_msg .= "The first name field is limited at 25 characters. \n"; } elseif (strlen($c['lastname']) > 40) { $error_msg .= "The last name field is limited at 40 characters. \n"; } elseif (!ereg("^[A-Za-z' -]", $c['firstname'])) { $error_msg .= "The first name field must not contain special characters. \n"; } elseif (!ereg("^[A-Za-z' -]", $c['lastname'])) { $error_msg .= "The last name field must not contain special characters. \n"; } elseif ((strlen($c['location']) > 0) && !ereg("^[A-Za-z' -]", $c['location'])) { $error_msg .= "The location field must not contain special characters. \n"; } elseif ((strlen($c['phone']) > 0) && !ereg("^[0-9 -]", $c['phone'])) { $error_msg .= "The phone field can only contain numbers. \n"; } elseif (!ereg("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$",strtolower($c['email']))) { $error_msg .= "That is not a valid E-mail address. \n"; } if ($error_msg == NULL) { $show_form = false; if (!empty($c['url']) && !ereg("^(http|https)", $c['url'])) { $c['url'] = "http://" . $c['url']; } $subject = "Contact Us"; $message = "You received this e-mail message through the Contact Us feature on your website: \n\n"; foreach ($c as $key => $val) { } $message .= "Program Type: {$c['ChosDest']}\n" ; $message .= "Name: {$c['firstname']} {$c['lastname']}\n" ; $message .= "Location: {$c['location']}\n" ; $message .= "Phone: {$c['phone']} \n" ; $message .= "Email: {$c['email']}\n" ; $message .= "Comments: {$c['comments']}\n\n\n" ; $message .= "Sumbitted from IP: {$_SERVER['REMOTE_ADDR']} \n"; //$message .= "Browser: {$_SERVER['HTTP_USER_AGENT']}"; if (strstr($_SERVER['SERVER_SOFTWARE'], "Win")) { $headers = "From: Website <[email protected]> \n"; $headers .= "Reply-To: {$c['email']}"; } else { $headers = "From: Website <[email protected]> \n"; $headers .= "Reply-To: {$c['email']}"; } $recipient = "[email protected]"; if (mail($recipient,$subject,$message,$headers)) { echo "<p>Your information was successfully sent. <br><br> <font size=+1 color=#ac2b31>Thank You for Contacting Us!</font> <br><br>Someone will be responding to your inquiry shortly</p>"; } else { echo "<p>Your information could not be sent this time. Please try again!</p>"; } } } if (!isset($c['submit']) || $show_form == true) { function get_data($var) { global $c; if (isset($c[$var])) { echo $c[$var]; } } if ($error_msg != NULL) { echo "<p><strong style='color: red;'>ERROR:</strong><br />"; echo nl2br($error_msg) . "</p>"; } ?>
Any help is greatly appreciated.
Reply With Quote