Hi Ive got a contact form called contact.php and a mailer.php which handles the script to process the info. This then redirects the user to a thankyou.php thanking them for their enquiry. It's all very simple and basic and works!
When I look at my server logs it seems that contact.php is getting requested by people viewing the site, followed, as you would expect by mailer.php. But that's where it ends - the thankyou.php is not getting called and I'm not receiving an email from mailer.php. This is increasingly happening - average about once or twice a day and when I look up the IP addresses - they originate from Vietnam and India etc. I'm UK based and I cant imagine anyone in India or Vietnam wanting to discuss my services so it's a bit disconcerting. I've tested all scripts myself and they all work perfectly ok, so my question is:
Is my script getting hijacked or something or what?
It maybe something quite simple, but if anyone has had any experience of it I would be very interested to hear your thoughts. I've included the scripts below:
<p><strong id="inner_main_form">Please use the form below to contact us.</strong></p><form action="mailer.php" method="post" name="contact_form"><p><label for="name" id="namelabel">Name: </label><input name="name" id="name" type="text"/></p><p><label for="details" id="detailslabel">Please let us know how to contact you </label><textarea name="details" id="details" type="text"></textarea></p><p><label for="company" id="companylabel">Company Name:</label><input name="company" id="company" type="text"/></p><p><label for="enquiry" id="enquirylabel">Enquiry / comments: </label><textarea name="enquiry" id="enquiry" type="text"></textarea></p><input type="submit" name="submit" value="Submit" id="submitter"/><input type="reset" name="reset" value="Reset" id="resetter"/></form>
Nogdog is right about the script being not a lot of interest from the point of view of header injection, but, the script is pretty crap. There is no validation routine and you're not even bothering to test to see whether variables even exist.
They may be able to use $msgBody to alter the headers. An e-mail is just a string of characters and $msgBody could be injected with headers....
Except that the "end of headers" marker will have already been encountered by the time the text in the message body is encountered, so text from that point forward should not matter with regards to header injection.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation