Back To Programming / Scripting / Coding Forum

Prevent someone using myphpfile.php from another server

  • basketmen
  • Student
  • Student
  • No Avatar
  • Joined: Mar 21, 2007
  • Posts: 66
  • Status: Offline

Post July 13th, 2011, 4:51 pm

Hi guys,

few days ago my host says in one of my website are sending large mail, that come from senegal country ip


here are my host says

Quote:
There were another 16 mails in the queue this morning going to a very large number of recipients.

X-PHP-Script: domaindotcom/myphpfile.php for 111.222.333.444

That seems to be the source IP, they more than likely injecting headers into the mail() being used in PHP, there are a few regexes and methods on the Internet if you google on how to prevent it.



myphpfile.php are file for sending private message (member got email notification too for each private message) to another member in my site, you must be login to use that page



is there a way to prevent myphpfile.php page by accessing from other server, so only real user that can accessing the page? maybe like prevent hotlinking image





please share your knowledge guys
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post July 13th, 2011, 4:51 pm

  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4924
  • Loc: NY
  • Status: Offline

Post July 13th, 2011, 7:09 pm

http://objectmix.com/php/432605-re-%5Bp ... urity.html

Does that answer your question?
How do you know when a politician is lying? His mouth is moving.
  • Bogey
  • Bogey
  • Genius
  • User avatar
  • Joined: Jul 14, 2005
  • Posts: 8211
  • Loc: USA
  • Status: Offline

Post July 14th, 2011, 9:18 am

In what way does your system check if the user is logged in? Does it actually check the log-in status in the myphpfile.php or in the file that is only using that file?
"Bring forth therefore fruits meet for repentance:" Matthew 3:8
  • this213
  • Guru
  • Guru
  • User avatar
  • Joined: Mar 01, 2004
  • Posts: 1242
  • Loc: ./
  • Status: Offline

Post July 15th, 2011, 4:03 am

Be sure you're sanitizing user input so you're getting what you expect to get. In this case, perhaps that means validating that a supplied email address is just 1 email address. Maybe something like this:
PHP Code: [ Select ]
if( preg_match("/\@.*\@/",$email) ){
   // too many @ symbols
}
  1. if( preg_match("/\@.*\@/",$email) ){
  2.    // too many @ symbols
  3. }


Be sure you're defining your headers right before you send your email, as such:
PHP Code: [ Select ]
$headers = 'From: noreply'."\r\n"
.'X-Mailer: Mysite.com Web Portal';
 
mail($email,$subject,$message,$headers);
  1. $headers = 'From: noreply'."\r\n"
  2. .'X-Mailer: Mysite.com Web Portal';
  3.  
  4. mail($email,$subject,$message,$headers);

Page 1 of 1

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 229 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.