PHP

[Romy Li]

I was maintaining a webiste that has a page using PHP form email (a simple Comment form). A couple of weeks ago it was abused and the site was being used to send out spam emails. The ISP was blacklisted and therefore the page was renamed to stop the abuse. The ISP sent us this link to show us how the hacker could have done to the codes. http://securephp.damonkohler.com/index.php/Email_InjectionI know next to nothing about PHP. Would anybody help me by suggesting any simple fixes can be put in the simple codes of the 'Comment page' we have in our site please.I have not received any reply, maybe I should also list the codes that has been abused in here so that if you can see the problem of the code, I would appreciate it.------------------------------------------------------------------------------------------<?php$to = "Webmaster <XX.co.uk>";$email = $_POST['email'];$message = $_POST['message'];if (!isset($_POST['email'])) {?><body id="www-XX" onload="document.getElementById('email').focus()"><div id="container"><h1>Comment on the site</h1><p>Please use this form to comment / provide feedback on the website <strong><em>only</em></strong>. For any and all correspondence concerning the charity please use the email link provided at the bottom of every page of the site (including this <a href="#footer">one</a>).</p><form action="send_mail.php" method="post"><table summary=""> <tr> <td><p><label for="email">Your email address:</label></p></td> <td><input type="text" id="email" name="email" size="50" /></td> </tr> <tr> <td><p><label for="subject">Subject:</label></p></td> <td><input type="text" id="subject" name="subject" size="50" /></td> </tr></table><p><label for="message">Comments:</label><br /><textarea cols="54" rows="10" id="message" name="message"></textarea></p><p><input type="submit" value="Send" /></p></form></div> <!-- end of container div --></body></html><?php}elseif (empty($email) || empty($message)) { header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" ); header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" ); header( "Cache-Control: no-cache, must-revalidate" ); header( "Pragma: no-cache" ); ?><html><head><title>Error</title></head><body><h1>Error</h1><p>You've forgotten to enter either youremail address or your message. Please press the BACKbutton in your browser and try again. Thanks.</p></body></html> <?php}else { mail($to, "[HaH] " . $_POST["subject"], $message, "From: " . $email); echo "<html><head></head><body>Mail sent!<br />Click <a href=\"feedback.html\">here</a> to return.</body></html>";}?>