Results 1 to 6 of 6

Thread: stop people trying to hack my form
      
   

  1. #1
    Join Date
    Feb 2006
    Posts
    75

    Default stop people trying to hack my form

    hi guys
    people are always trying to hack my form, they upload files like xxxx.php.jpeg etc.

    reading old posts by navaldesign he said

    You need to use a code like

    $upload_Name1 = $_FILES[$file_key]['name'];
    $upload_Name = $prefix.str_replace(" ", "_", $upload_Name1);
    $upload_Size = ($_FILES[$file_key]['size']);
    $upload_Temp = ($_FILES[$file_key]['tmp_name']);
    $upload_Type = ($_FILES[$file_key]['type']);
    if($upload_Type != "image/gif" AND $upload_Type != "image/pjpeg" AND $upload_Type != "image/jpeg" AND $upload_Type != "image/png" AND $upload_Type != "image/tiff" AND $upload_Type != "image/bmp"){
    $error1 = "$file_key file type is '$upload_Type' which is not allowed! \n";
    // Add here a "include" command to include an error page
    }

    my question is, where and how to insert this code in BV form processor
    and will this still work if the uploaded file is named xxxxxx.php.jpeg.

    If there is a newer way to avoid these files please enlighten me as these posts where from 2005

    thanks
    johnny

  2. #2
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    12,080

    Default Re: stop people trying to hack my form

    Unfortunately you can't insert code in the standard BV built in form processor.

    You can uncheck the "Use built in form processor" in the form properties, and insert the code (the same as the one the processor would add) adding your own custom code.

    If you wish, post the code you now have, from your built in form processor, and I will modify it for you .
    Navaldesign
    Logger Lite: Low Cost, Customizable, multifeatured Login script
    Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
    DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
    Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!


  3. #3
    Join Date
    Feb 2006
    Posts
    75

    Default Re: stop people trying to hack my form

    thanks for the help i thought i had used bv but i think i used wysiwyg but here is the code off one off my form, i have three forms is it possible for you to highlite the changes in red so i can alter my other forms

    <?php
    session_start();
    if ($_SERVER['REQUEST_METHOD'] == 'POST')
    {
    if (isset($_POST['captcha_code'],$_SESSION['random_txt']) && md5($_POST['captcha_code']) == $_SESSION['random_txt'])
    {
    unset($_POST['captcha_code'],$_SESSION['random_txt']);
    }
    else
    {
    $errorcode = file_get_contents('./error.html');
    $replace = "##error##";
    $errorcode = str_replace($replace, 'The entered code was wrong.', $errorcode);
    echo $errorcode;
    exit;
    }
    }
    ?>
    <?php
    function ValidateEmail($email)
    {
    $pattern = '/^([0-9a-z]([-.\w]*[0-9a-z])*@(([0-9a-z])+([-\w]*[0-9a-z])*\.)+[a-z]{2,6})$/i';
    return preg_match($pattern, $email);
    }
    function RecursiveMkdir($path)
    {
    if (!file_exists($path))
    {
    RecursiveMkdir(dirname($path));
    mkdir($path, 0777);
    }
    }
    if($_SERVER['REQUEST_METHOD'] == 'POST')
    {
    $mailto = 'info@sameasiteverwas.co.uk';
    $mailfrom = isset($_POST['email']) ? $_POST['email'] : $mailto;
    $subject = 'Contact Information';
    $message = 'Values submitted from web site form:';
    $success_url = './success.html';
    $error_url = './error.html';
    $error = '';
    $eol = "\n";
    $max_filesize = isset($_POST['filesize']) ? $_POST['filesize'] * 1024 : 1024000;
    $upload_folder = "upload";
    $upload_folder = "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME'])."/".$upload_folder;
    $boundary = md5(uniqid(time()));
    $header = 'From: '.$mailfrom.$eol;
    $header .= 'Reply-To: '.$mailfrom.$eol;
    $header .= 'MIME-Version: 1.0'.$eol;
    $header .= 'Content-Type: multipart/mixed; boundary="'.$boundary.'"'.$eol;
    $header .= 'X-Mailer: PHP v'.phpversion().$eol;
    if (!ValidateEmail($mailfrom))
    {
    $error .= "The specified email address is invalid!\n<br>";
    }
    $prefix = rand(111111, 999999);
    $i = 0;
    while (list ($key, $val) = each ($_FILES))
    {
    if ($_FILES[$key]['name'] != "" and file_exists($_FILES[$key]['tmp_name']) and $_FILES[$key]['size'] > 0)
    {
    $upload_DstName[$i] = $prefix . "_" . str_replace(" ", "_", $_FILES[$key]['name']);
    $upload_SrcName[$i] = $_FILES[$key]['name'];
    $upload_Size[$i] = ($_FILES[$key]['size']);
    $upload_Temp[$i] = ($_FILES[$key]['tmp_name']);
    $upload_Type[$i] = ($_FILES[$key]['type']);
    $uploadlink[$i] = "$upload_folder/$upload_DstName[$i]";
    $upload_fieldname[$i] = $key;
    $upload_fieldname_final[$i] = ucwords(str_replace("_", " ", $key));
    $fieldvalue[$i] = $uploadlink[$i];
    $i++;
    }
    if ($upload_Size[$i] >= $max_filesize)
    {
    $error .= "The size of $key (file: $upload_SrcName[$i]) is bigger than the allowed " . $max_filesize/1024 . " Kbytes!\n";
    }
    }
    if (!empty($error))
    {
    $errorcode = file_get_contents($error_url);
    $replace = "##error##";
    $errorcode = str_replace($replace, $error, $errorcode);
    echo $errorcode;
    exit;
    }
    $uploadfolder = basename($upload_folder);
    for ($i = 0; $i < count($upload_DstName); $i++)
    {
    $uploadFile = $uploadfolder . "/" . $upload_DstName[$i];
    if (!is_dir(dirname($uploadFile)))
    {
    RecursiveMkdir(dirname($uploadFile));
    }
    else
    {
    chmod(dirname($uploadFile), 0777);
    }
    move_uploaded_file($upload_Temp[$i] , $uploadFile);
    chmod($uploadFile, 0644);
    }
    $internalfields = array ("submit", "reset", "send", "captcha_code");
    $message .= $eol;
    $message .= "IP Address : ";
    $message .= $_SERVER['REMOTE_ADDR'];
    $message .= $eol;
    foreach ($_POST as $key => $value)
    {
    if (!in_array(strtolower($key), $internalfields))
    {
    if (!is_array($value))
    {
    $message .= ucwords(str_replace("_", " ", $key)) . " : " . $value . $eol;
    }
    else
    {
    $message .= ucwords(str_replace("_", " ", $key)) . " : " . implode(",", $value) . $eol;
    }
    }
    }
    if (count($upload_SrcName) > 0)
    {
    $message .= "\nThe following files have been uploaded:\n";
    for ($i = 0; $i < count($upload_SrcName); $i++)
    {
    $message .= $upload_SrcName[$i] . " Link: " . $uploadlink[$i] . "\n";
    }
    }
    $body = 'This is a multi-part message in MIME format.'.$eol.$eol;
    $body .= '--'.$boundary.$eol;
    $body .= 'Content-Type: text/plain; charset=ISO-8859-1'.$eol;
    $body .= 'Content-Transfer-Encoding: 8bit'.$eol;
    $body .= $eol.stripslashes($message).$eol;
    $body .= '--'.$boundary.'--'.$eol;
    mail($mailto, $subject, $body, $header);
    header('Location: '.$success_url);
    exit;
    }
    ?>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <title>Upload form.</title>
    <meta name="description" content="We often receive photographs in poor condition; we use the latest software and repair techniques to provide the best possible service. We offer photo restoration, colourisation and photo printing.">
    <meta name="keywords" content="restoration, colourisation, manipulation, missing corners, speckles, tears, rips, discolouration, water damage, creases, cracks, mould, fading">
    <meta name="author" content="jmbwebdesign">
    <meta name="categories" content="photo restoration">
    <meta name="generator" content="JMB Webdesign.co.uk">
    <style type="text/css">
    div#container
    {
    width: 800px;
    position: relative;
    margin-top: 0px;
    margin-left: auto;
    margin-right: auto;
    text-align: left;
    }
    </style>
    <style type="text/css">
    body
    {
    text-align: center;
    margin: 0;
    background-color: #FFFFFF;
    color: #000000;
    }
    </style>
    <style type="text/css">
    h2
    {
    font-family: Arial;
    font-size: 27px;
    font-weight: bold;
    font-style: normal;
    text-decoration: none;
    color: #000000;
    margin: 0 0 0 0;
    padding: 0 0 0 0;
    display: inline;
    }
    a
    {
    color: #000000;
    }
    a:hover
    {
    color: #0000FF;
    }
    </style>
    <script type="text/javascript">
    <!--
    function Validateupload_form(theForm)
    {
    var strFilter = /^[A-Za-z \t\r\n\f]*$/;
    var chkVal = theForm.Editbox1.value;
    if (!strFilter.test(chkVal))
    {
    alert("Please enter your name");
    theForm.Editbox1.focus();
    return false;
    }
    if (theForm.Editbox1.value == "")
    {
    alert("Please enter your name");
    theForm.Editbox1.focus();
    return false;
    }
    if (theForm.Editbox1.value.length < 1)
    {
    alert("Please enter your name");
    theForm.Editbox1.focus();
    return false;
    }
    if (theForm.Editbox1.value.length > 20)
    {
    alert("Please enter your name");
    theForm.Editbox1.focus();
    return false;
    }
    var strFilter = /^[A-Za-z \t\r\n\f0-9-]*$/;
    var chkVal = theForm.Editbox2.value;
    if (!strFilter.test(chkVal))
    {
    alert("Please enter you address");
    theForm.Editbox2.focus();
    return false;
    }
    if (theForm.Editbox2.value == "")
    {
    alert("Please enter you address");
    theForm.Editbox2.focus();
    return false;
    }
    if (theForm.Editbox2.value.length < 1)
    {
    alert("Please enter you address");
    theForm.Editbox2.focus();
    return false;
    }
    if (theForm.Editbox2.value.length > 30)
    {
    alert("Please enter you address");
    theForm.Editbox2.focus();
    return false;
    }
    var strFilter = /^[A-Za-z \t\r\n\f0-9-]*$/;
    var chkVal = theForm.Editbox5.value;
    if (!strFilter.test(chkVal))
    {
    alert("Please enter only letter, digit and whitespace characters in the \"address2\" field.");
    theForm.Editbox5.focus();
    return false;
    }
    var strFilter = /^[A-Za-z \t\r\n\f0-9-]*$/;
    var chkVal = theForm.Editbox11.value;
    if (!strFilter.test(chkVal))
    {
    alert("Please enter only letter, digit and whitespace characters in the \"address3\" field.");
    theForm.Editbox11.focus();
    return false;
    }
    var strFilter = /^[A-Za-z \t\r\n\f]*$/;
    var chkVal = theForm.Editbox3.value;
    if (!strFilter.test(chkVal))
    {
    alert("Please enter your city");
    theForm.Editbox3.focus();
    return false;
    }
    if (theForm.Editbox3.value == "")
    {
    alert("Please enter your city");
    theForm.Editbox3.focus();
    return false;
    }
    if (theForm.Editbox3.value.length < 1)
    {
    alert("Please enter your city");
    theForm.Editbox3.focus();
    return false;
    }
    if (theForm.Editbox3.value.length > 20)
    {
    alert("Please enter your city");
    theForm.Editbox3.focus();
    return false;
    }
    var strFilter = /^[A-Za-z \t\r\n\f0-9-]*$/;
    var chkVal = theForm.Editbox4.value;
    if (!strFilter.test(chkVal))
    {
    alert("Please enter your postcode");
    theForm.Editbox4.focus();
    return false;
    }
    if (theForm.Editbox4.value == "")
    {
    alert("Please enter your postcode");
    theForm.Editbox4.focus();
    return false;
    }
    if (theForm.Editbox4.value.length < 1)
    {
    alert("Please enter your postcode");
    theForm.Editbox4.focus();
    return false;
    }
    if (theForm.Editbox4.value.length > 20)
    {
    alert("Please enter your postcode");
    theForm.Editbox4.focus();
    return false;
    }
    if (theForm.Editbox12.value == "")
    {
    alert("Please enter your phone");
    theForm.Editbox12.focus();
    return false;
    }
    if (theForm.Editbox12.value.length < 5)
    {
    alert("Please enter your phone");
    theForm.Editbox12.focus();
    return false;
    }
    if (theForm.Editbox12.value.length > 15)
    {
    alert("Please enter your phone");
    theForm.Editbox12.focus();
    return false;
    }
    var strValue = theForm.Editbox9.value;
    var strFilter = /^([0-9a-z]([-.\w]*[0-9a-z])*@(([0-9a-z])+([-\w]*[0-9a-z])*\.)+[a-z]{2,6})$/i;
    if (!strFilter.test(strValue))
    {
    alert("Please enter your email");
    theForm.Editbox9.focus();
    return false;
    }
    if (theForm.Editbox9.value == "")
    {
    alert("Please enter your email");
    theForm.Editbox9.focus();
    return false;
    }
    if (theForm.Editbox9.value.length < 6)
    {
    alert("Please enter your email");
    theForm.Editbox9.focus();
    return false;
    }
    if (theForm.Editbox9.value.length > 120)
    {
    alert("Please enter your email");
    theForm.Editbox9.focus();
    return false;
    }
    return true;
    }
    //-->
    </script>
    </head>
    <body>
    <div id="container">
    <div id="wb_ImageMap1" style="margin:0;padding:0;position:absolute;left:0 px;top:0px;width:800px;height:150px;text-align:left;z-index:29;">
    <img src="images/header_03.jpg" id="ImageMap1" alt="same as it ever was" usemap="#ImageMapImageMap0" border="0" title="Menu" style="width:800px;height:150px;">
    <map name="ImageMapImageMap0">
    <area shape="rect" coords="4,119,112,141" href="./index.html" target="" alt="home" title="home">
    <area shape="rect" coords="116,113,226,146" href="./restoration.html" target="" alt="restoration" title="restoration">
    <area shape="rect" coords="229,119,340,144" href="./colourisation.html" target="" alt="colourisation" title="colourisation">
    <area shape="rect" coords="344,114,451,147" href="./manipulation.html" target="" alt="manipulation" title="manipulation">
    <area shape="rect" coords="457,111,567,147" href="" target="" alt="upload photos" title="upload photos">
    <area shape="rect" coords="572,113,682,147" href="./faq_s.html" target="" alt="faqs and prices" title="faqs and prices">
    <area shape="rect" coords="685,113,798,148" href="./contact_us.html" target="" alt="contact_us" title="contact_us">
    </map>
    </div>
    <div id="wb_Text1" style="margin:0;padding:0;position:absolute;left:1 15px;top:167px;width:683px;height:47px;text-align:center;z-index:30;">
    <h2>Upload form.<br>
    </h2></div>
    <div id="wb_ImageMap2" style="margin:0;padding:0;position:absolute;left:0 px;top:147px;width:115px;height:659px;text-align:left;z-index:31;">
    <img src="images/left-menu.jpg" id="ImageMap2" alt="left menu" usemap="#ImageMapImageMap1" border="0" title="left_menu" style="width:115px;height:659px;">
    <map name="ImageMapImageMap1">
    <area shape="rect" coords="3,3,112,163" href="./large_prints.html" target="" alt="large prints" title="large prints">
    <area shape="rect" coords="2,171,112,329" href="./slides.html" target="" alt="slides and negatives" title="slides and negatives">
    <area shape="rect" coords="6,334,113,491" href="./canvas_prints.html" target="" alt="canvas prints" title="canvas prints">
    <area shape="rect" coords="4,497,109,654" href="./memory_cards.html" target="" alt="data recovery" title="data recovery">
    </map>
    </div>
    <div id="wb_Text3" style="margin:0;padding:0;position:absolute;left:9 5px;top:1059px;width:682px;height:19px;text-align:center;z-index:32;">
    <font style="font-size:16px" color="#000000" face="Times New Roman"><a href="http://www.jmbwebdesign.co.uk">Copyright by JMBWEBDESIGN<u> </a></u></font></div>
    <div id="wb_Form2" style="position:absolute;left:191px;top:210px;widt h:525px;height:806px;z-index:33">
    <form name="upload_form" method="post" action="<?php echo basename(__FILE__); ?>" enctype="multipart/form-data" id="Form2" onsubmit="return Validateupload_form(this)">
    <div id="wb_Captcha1" style="margin:0;padding:0;position:absolute;left:1 41px;top:697px;width:257px;height:41px;text-align:left;z-index:0;">
    <img src="captcha1.php" alt="Click for new image" title="Click for new image" style="cursor:pointer;width:115px;height:38px;" onclick="this.src='captcha1.php?'+Math.random()">
    <input type="text" id="Captcha1Edit" style="position:absolute;left:120px;top:18px;width :142px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;" name="captcha_code" value=""></div>
    <input type="text" id="Editbox1" style="position:absolute;left:141px;top:42px;width :255px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:1" name="name" value="">
    <input type="text" id="Editbox2" style="position:absolute;left:141px;top:67px;width :255px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:2" name="address1" value="">
    <input type="text" id="Editbox5" style="position:absolute;left:141px;top:91px;width :256px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:3" name="address2" value="">
    <input type="text" id="Editbox11" style="position:absolute;left:141px;top:115px;widt h:256px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:4" name="address3" value="">
    <input type="text" id="Editbox3" style="position:absolute;left:141px;top:140px;widt h:256px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:5" name="city" value="">
    <input type="text" id="Editbox4" style="position:absolute;left:141px;top:165px;widt h:256px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:6" name="postcode" value="">
    <input type="text" id="Editbox12" style="position:absolute;left:142px;top:190px;widt h:256px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:7" name="phone" value="">
    <input type="text" id="Editbox9" style="position:absolute;left:141px;top:215px;widt h:256px;height:18px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:8" name="email" value="">
    <div style="position:absolute;left:141px;top:261px;widt h:256px;height:20px;border:1px #C0C0C0 solid;z-index:9">
    <select name="required service" size="1" id="Combobox1" style="position:absolute; left:0px;top:0px;width:100%;height:100%;border-width:0px;font-family:Arial;font-size:13px;">
    <option></option>
    <option value="restoration">restoration</option>
    <option value="colourisation">colourisation</option>
    <option value="manipulation">manipulation</option>
    <option value="quote">quote</option>
    <option value="not sure">not sure</option>
    </select>
    </div>
    <div style="position:absolute;left:141px;top:287px;widt h:256px;height:20px;border:1px #C0C0C0 solid;z-index:10">
    <select name="return format" size="1" id="Combobox2" style="position:absolute; left:0px;top:0px;width:100%;height:100%;border-width:0px;font-family:Arial;font-size:13px;">
    <option value="Email + free P&P">Email + free P&P</option>
    <option value="CD + 2.99 Includes P&P (UK)">CD + 2.99 Includes P&P (UK)</option>
    <option value="Photograph 6x4 inches + 4.99 Includes P&P (UK)">Photograph 6x4 inches + 4.99 Includes P&P (UK)</option>
    <option value="Photograph 8x5 inches + 6.99 Includes P&P (UK)">Photograph 8x5 inches + 6.99 Includes P&P (UK)</option>
    </select>
    </div>
    <textarea name="Comments or Suggestions" id="TextArea1" style="position:absolute;left:141px;top:527px;widt h:256px;height:98px;border:1px #C0C0C0 solid;font-family:Courier New;font-size:13px;z-index:11" rows="5" cols="27"></textarea>
    <div id="wb_Text5" style="margin:0;padding:0;position:absolute;left:1 0px;top:216px;width:130px;height:18px;text-align:left;z-index:12;">
    <font style="font-size:16px" color="#000000" face="Arial">Email</font><font style="font-size:11px" color="#000000" face="Arial">: </font><font style="font-size:11px" color="#FF0000" face="Arial">*</font></div>
    <div id="wb_Text4" style="margin:0;padding:0;position:absolute;left:1 1px;top:42px;width:68px;height:18px;text-align:left;z-index:13;">
    <font style="font-size:16px" color="#000000" face="Arial">Name</font><font style="font-size:11px" color="#000000" face="Arial">:</font><font style="font-size:11px" color="#FF0000" face="Arial">*</font></div>
    <div id="wb_Text6" style="margin:0;padding:0;position:absolute;left:1 2px;top:68px;width:130px;height:18px;text-align:left;z-index:14;">
    <font style="font-size:16px" color="#000000" face="Arial">Address:</font><font style="font-size:16px" color="#FF0000" face="Arial">*</font></div>
    <div id="wb_Text7" style="margin:0;padding:0;position:absolute;left:1 0px;top:141px;width:128px;height:18px;text-align:left;z-index:15;">
    <font style="font-size:16px" color="#000000" face="Arial">City:</font><font style="font-size:16px" color="#FF0000" face="Arial">*</font></div>
    <div id="wb_Text2" style="margin:0;padding:0;position:absolute;left:9 px;top:192px;width:130px;height:18px;text-align:left;z-index:16;">
    <font style="font-size:16px" color="#000000" face="Arial">Phone</font><font style="font-size:11px" color="#000000" face="Arial">:</font><font style="font-size:11px" color="#FF0000" face="Arial">*</font></div>
    <div id="wb_Text8" style="margin:0;padding:0;position:absolute;left:1 0px;top:262px;width:128px;height:18px;text-align:left;z-index:17;">
    <font style="font-size:16px" color="#000000" face="Arial">Required service</font></div>
    <div id="wb_Text10" style="margin:0;padding:0;position:absolute;left:1 0px;top:289px;width:128px;height:18px;text-align:left;z-index:18;">
    <font style="font-size:16px" color="#000000" face="Arial">Return format</font></div>
    <div id="wb_Text11" style="margin:0;padding:0;position:absolute;left:1 15px;top:337px;width:294px;height:38px;text-align:center;z-index:19;">
    <font style="font-size:16px" color="#808080" face="Arial"><i>File Upload 300dpi (up to 4Mb each file).</i></font><font style="font-size:16px" color="#000000" face="Times New Roman"><br>
    </font><font style="font-size:16px" color="#808080" face="Arial"><i>This may take some time.</i></font></div>
    <input type="file" id="FileUpload1" style="position:absolute;left:141px;top:383px;widt h:256px;height:21px;font-family:Courier New;font-size:13px;z-index:20" name="FileUpload1">
    <input type="file" id="FileUpload2" style="position:absolute;left:141px;top:410px;widt h:256px;height:21px;font-family:Courier New;font-size:13px;z-index:21" name="FileUpload2">
    <input type="file" id="FileUpload3" style="position:absolute;left:141px;top:437px;widt h:256px;height:21px;font-family:Courier New;font-size:13px;z-index:22" name="FileUpload3">
    <div id="wb_Text12" style="margin:0;padding:0;position:absolute;left:1 41px;top:495px;width:258px;height:19px;text-align:center;z-index:23;">
    <font style="font-size:16px" color="#666666" face="Arial"><i>Comments / Questions / Enquiries</i></font></div>
    <div id="wb_Text13" style="margin:0;padding:0;position:absolute;left:1 41px;top:654px;width:258px;height:38px;text-align:center;z-index:24;">
    <font style="font-size:16px" color="#666666" face="Arial"><i>Please input the verification code as seen in the image.</i></font></div>
    <input type="submit" id="Button1" name="upload" value="Upload" style="position:absolute;left:140px;top:760px;widt h:96px;height:25px;font-family:Arial;font-size:13px;z-index:25">
    <input type="reset" id="Button2" name="reset" value="Reset" style="position:absolute;left:300px;top:760px;widt h:96px;height:25px;font-family:Arial;font-size:13px;z-index:26">
    <div id="wb_Text9" style="margin:0;padding:0;position:absolute;left:1 0px;top:167px;width:130px;height:18px;text-align:left;z-index:27;">
    <font style="font-size:16px" color="#000000" face="Arial">Postcode </font><font style="font-size:16px" color="#FF0000" face="Arial">*</font></div>
    <div id="wb_Text14" style="margin:0;padding:0;position:absolute;left:1 41px;top:316px;width:260px;height:16px;text-align:center;z-index:28;">
    <font style="font-size:13px" color="#FF0000" face="Arial">* Mandatory fields</font></div>
    </form>
    </div>
    </div>
    </body>
    </html>


    hope ive copied it right

    thanks

    johnny

  4. #4
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    12,080

    Default Re: stop people trying to hack my form

    <?php
    function ValidateEmail($email)
    {
    $pattern = '/^([0-9a-z]([-.\w]*[0-9a-z])*@(([0-9a-z])+([-\w]*[0-9a-z])*\.)+[a-z]{2,6})$/i';
    return preg_match($pattern, $email);
    }
    function RecursiveMkdir($path)
    {
    if (!file_exists($path))
    {
    RecursiveMkdir(dirname($path));
    mkdir($path, 0777);
    }
    }
    if($_SERVER['REQUEST_METHOD'] == 'POST')
    {
    $mailto = 'info@sameasiteverwas.co.uk';
    $mailfrom = isset($_POST['email']) ? $_POST['email'] : $mailto;
    $subject = 'Contact Information';
    $message = 'Values submitted from web site form:';
    $success_url = './success.html';
    $error_url = './error.html';
    $error = '';
    $eol = "\n";
    $max_filesize = isset($_POST['filesize']) ? $_POST['filesize'] * 1024 : 1024000;
    $upload_folder = "upload";
    $upload_folder = "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['SCRIPT_NAME'])."/".$upload_folder;
    $boundary = md5(uniqid(time()));
    $header = 'From: '.$mailfrom.$eol;
    $header .= 'Reply-To: '.$mailfrom.$eol;
    $header .= 'MIME-Version: 1.0'.$eol;
    $header .= 'Content-Type: multipart/mixed; boundary="'.$boundary.'"'.$eol;
    $header .= 'X-Mailer: PHP v'.phpversion().$eol;
    if (!ValidateEmail($mailfrom))
    {
    $error .= "The specified email address is invalid!\n<br>";
    }
    $prefix = rand(111111, 999999);
    $i = 0;
    while (list ($key, $val) = each ($_FILES))
    {
    if ($_FILES[$key]['name'] != "" and file_exists($_FILES[$key]['tmp_name']) and $_FILES[$key]['size'] > 0)
    {
    $upload_DstName[$i] = $prefix . "_" . str_replace(" ", "_", $_FILES[$key]['name']);
    $upload_SrcName[$i] = $_FILES[$key]['name'];
    $upload_Size[$i] = ($_FILES[$key]['size']);
    $upload_Temp[$i] = ($_FILES[$key]['tmp_name']);
    $upload_Type[$i] = ($_FILES[$key]['type']);
    if($upload_Type[$i] != "image/gif" AND $upload_Type[$i] != "image/pjpeg" AND $upload_Type[$i] != "image/jpeg" AND $upload_Type[$i] != "image/png" AND $upload_Type[$i] != "image/tiff" AND $upload_Type[$i] != "image/bmp"){
    $error .= "$file_key file type is '$upload_Type' which is not allowed! \n";
    }
    else{
    $uploadlink[$i] = "$upload_folder/$upload_DstName[$i]";
    $upload_fieldname[$i] = $key;
    $upload_fieldname_final[$i] = ucwords(str_replace("_", " ", $key));
    $fieldvalue[$i] = $uploadlink[$i];
    $i++;
    }
    if ($upload_Size[$i] >= $max_filesize)
    {
    $error .= "The size of $key (file: $upload_SrcName[$i]) is bigger than the allowed " . $max_filesize/1024 . " Kbytes!\n";
    }
    }
    if (!empty($error))
    {
    $errorcode = file_get_contents($error_url);
    $replace = "##error##";
    $errorcode = str_replace($replace, $error, $errorcode);
    echo $errorcode;
    exit;
    }
    $uploadfolder = basename($upload_folder);
    for ($i = 0; $i < count($upload_DstName); $i++)
    {
    $uploadFile = $uploadfolder . "/" . $upload_DstName[$i];
    if (!is_dir(dirname($uploadFile)))
    {
    RecursiveMkdir(dirname($uploadFile));
    }
    else
    {
    chmod(dirname($uploadFile), 0777);
    }
    move_uploaded_file($upload_Temp[$i] , $uploadFile);
    chmod($uploadFile, 0644);
    }
    $internalfields = array ("submit", "reset", "send", "captcha_code");
    $message .= $eol;
    $message .= "IP Address : ";
    $message .= $_SERVER['REMOTE_ADDR'];
    $message .= $eol;
    foreach ($_POST as $key => $value)
    {
    if (!in_array(strtolower($key), $internalfields))
    {
    if (!is_array($value))
    {
    $message .= ucwords(str_replace("_", " ", $key)) . " : " . $value . $eol;
    }
    else
    {
    $message .= ucwords(str_replace("_", " ", $key)) . " : " . implode(",", $value) . $eol;
    }
    }
    }
    if (count($upload_SrcName) > 0)
    {
    $message .= "\nThe following files have been uploaded:\n";
    for ($i = 0; $i < count($upload_SrcName); $i++)
    {
    $message .= $upload_SrcName[$i] . " Link: " . $uploadlink[$i] . "\n";
    }
    }
    $body = 'This is a multi-part message in MIME format.'.$eol.$eol;
    $body .= '--'.$boundary.$eol;
    $body .= 'Content-Type: text/plain; charset=ISO-8859-1'.$eol;
    $body .= 'Content-Transfer-Encoding: 8bit'.$eol;
    $body .= $eol.stripslashes($message).$eol;
    $body .= '--'.$boundary.'--'.$eol;
    mail($mailto, $subject, $body, $header);
    header('Location: '.$success_url);
    exit;
    }
    }
    ?>
    Navaldesign
    Logger Lite: Low Cost, Customizable, multifeatured Login script
    Instant Download Cart: a Powerfull, Customized, in site, DB driven, e-products Cart
    DBTechnosystems.com Forms, Databases, Shopping Carts, Instant Download Carts, Loggin Systems and more....
    Advanced BlueVoda Form Processor : No coding form processor! Just install and use! Now with built in CAPTCHA!


  5. #5
    Join Date
    Feb 2006
    Posts
    75

    Default Re: stop people trying to hack my form

    thanks for that, is there any danger when the file types are "xxxxxx.php.jpg"

    thanks
    johnny

  6. #6
    Join Date
    Apr 2008
    Location
    The Dark Side
    Posts
    559

    Default Re: stop people trying to hack my form

    Just a thought. in the properties of the upload box under validate you have the option to have only the file extensions you wish to have uploaded ie: .jpg or .png. that way if it isn't then they get the warning. I personally have this set to only except .zip as i can then scan it before opening.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

     

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •