我有一个邮件脚本,不断用于攻击我的网站并上传攻击者用来传播更多代码的代码。以下是该脚本的一个版本。我究竟做错了什么?请帮帮我。每个邮件脚本,甚至是我为插件编写的邮件脚本都将使用此代码。感谢。
<?php
$sendto = "email@email.com";
$subject = "Message from My Website";
$SpamReplaceText = "*"; //this is what will be used to replace unallowed characters in a message
$fullname = filter_var($_POST['fullname'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$telephone = filter_var($_POST['telephone'], FILTER_SANITIZE_NUMBER_INT);
$eventdate = filter_var($_POST['eventdate'], FILTER_SANITIZE_STRING);
$message = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
$headers = "From: \"$fullname\" <$email>\n";
$headers .= "MIME-Version: 1.0\n"
. "Content-Transfer-Encoding: 7bit\n"
. "Content-type: text/html; charset = \"iso-8859-1\";\n\n";
$URL = "index.php?place=contact";
$URLQuery = "n=".urlencode(stripslashes($fullname))."&e=".urlencode(stripslashes($email))."&m=".urlencode(stripslashes($message))."&evt=".urlencode($eventdate)."&t=".urlencode($telephone);
if (empty($fullname) || empty($email) || empty($telephone) || empty($message)) {
header("location: $URL&err=4&".$URLQuery);
exit;
}
// Check the email address enmtered matches the standard email address format
if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,6}$", $email)) {
header("location: $URL&err=1&".$URLQuery);
exit;
}
// Check for Website URL's in the form input boxes as if we block website URLs from the form,
// then this will stop the spammers wastignt ime sending emails
if (preg_match("/http/i", "$fullname")) {header("location: $URL&err=3&".$URLQuery); exit;}
if (preg_match("/http/i", "$email")) {header("location: $URL&err=3&".$URLQuery); exit;}
if (preg_match("/http/i", "$message")) {header("location: $URL&err=3&".$URLQuery); exit;}
if (preg_match("/http/i", "$telephone")) {header("location: $URL&err=3&".$URLQuery); exit;}
if (preg_match("/http/i", "$eventdate")) {header("location: $URL&err=3&".$URLQuery); exit;}
// Patterm match search to strip out the invalid charcaters, this prevents the mail injection spammer
$pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // build the pattern match string
$fullname = preg_replace($pattern, "", $fullname);
$email = preg_replace($pattern, "", $email);
$message = preg_replace($pattern, "", $message);
$telephone = preg_replace($pattern, "", $telephone);
$eventdate = preg_replace($pattern, "", $eventdate);
// Check for the injected headers from the spammer attempt
// This will replace the injection attempt text with the string you have set in the above config section
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$email = preg_replace($find, "$SpamReplaceText", $email);
$fullname = preg_replace($find, "$SpamReplaceText", $fullname);
$message = preg_replace($find, "$SpamReplaceText", $message);
$telephone = preg_replace($find, "$SpamReplaceText", $telephone);
$eventdate = preg_replace($find, "$SpamReplaceText", $eventdate);
// Build the email body text
$emailcontent = "
----------------------------------------------------------------------------- <br>
<b>MESSAGE FROM My Website</b><br>
----------------------------------------------------------------------------- <br>
<b>Name:</b> $fullname <br><br>
<b>Email:</b> $email <br><br>
<b>Telephone:</b> $telephone <br><br>
<b>Event Date:</b> $eventdate <br><br>
<b>Message:</b> $message
<br><br>
_______________________________________ <br>
End of Email";
// Sends out the email or will output the error message
if (mail($sendto, $subject, $emailcontent, $headers)) {
header("location: $URL&confirm=1");
exit;
}
else {
header("location: $URL&err=2&".$URLQuery);
exit;
}
&GT;