/** * Prüft Formulversand und übergebene Variablen * * * @todo Fehleranzeige verbessern (die()-Aufruf ist hier nicht gut) * * @link http://www.alt-php-faq.org/local/115 How do I stop spammers using header injection with my PHP Scripts? * @param string/array postvars - zu prüfende POST-Variablen * @param string/array domainname - erlaubte Domainnamen (ist kein Name angegeben, wird diese Prüfung ignoriert) * @return bool TRUE or FALSE */ function gbook_formularPostCheck($postvars, $domainname = false) { // wenn keine zu prüfenden POST-Variablen übergeben wurden, gibts ein FALSE zurück // irgend etwas sollte schon zum prüfen vorhanden sein, wenn diese Funktion aufgerufen wird if (!isset($postvars) or $postvars == '') { return false; } // First, make sure the form was posted from a browser. // For basic web-forms, we don't care about anything // other than requests from a browser: if (!isset($_SERVER['HTTP_USER_AGENT'])) { die("Forbidden - You are not authorized to view this page"); exit; } // Make sure the form was indeed POST'ed: // (requires your html form to use: action="post") if (!$_SERVER['REQUEST_METHOD'] == "POST") { die("Forbidden - You are not authorized to view this page"); exit; } /** * Dies nur ein Entwicklungs-Hack. * Wenn kein Domainname übergeben wurde, ignoriere diese Prüfung. * * Hier muss noch eine Lösung her, wie Domainnamen sinnvoll übergeben werden können, * in Bezug auf Entwicklungsumgebung/Produktivumgebung. * */ if ($domainname !== false) { // Host names from where the form is authorized // to be posted from: if (!is_array($domainname)) { $authHosts = array($domainname); } else { //$authHosts = array("domain.com", "domain2.com", "domain3.com"); $authHosts = $domainname; } // Where have we been posted from? $fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER'])); // Test to see if the $fromArray used www to get here. $wwwUsed = strpos($fromArray['host'], "www."); // Make sure the form was posted from an approved host name. if (!in_array($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1), $authHosts)) { logBadRequest(); header("HTTP/1.0 403 Forbidden"); exit; } } // if ($domainname !== false) // Attempt to defend against header injections: $badStrings = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:"); if (!is_array($postvars)) { $_postvarcheck = array($postvars); } else { $_postvarcheck = $postvars; } // Loop through each POST'ed value and test if it contains // one of the $badStrings: // foreach($_postvarcheck as $k => $v) { foreach ($_postvarcheck as $v) { foreach ($badStrings as $v2) { if (strpos($v, $v2) !== false) { logBadRequest(); header("HTTP/1.0 403 Forbidden"); exit; } } } // Made it past spammer test, free up some memory // and continue rest of script: // unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed); unset($v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed); // wenn alles gut ging return true; }
$badStrings = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:", "multipart/mixed", "*****@*****.**", "*****@*****.**", "hometown.aol.com"); // Loop through each POST'ed value and test if it contains // one of the $badStrings: foreach($_POST as $k => $v){ foreach($badStrings as $v2){ if(strpos($v, $v2) !== false){ logBadRequest(); require("offensive/403.php"); } } } ob_end_flush(); function logBadRequest() { mail( "*****@*****.**", "[" . $_SERVER["REMOTE_ADDR"] . "] - contact form abuse", "[" . $_SERVER["REMOTE_ADDR"] . "] - contact form abuse\n\n" . requestDetail(), "From: themaxx.com contact form" ); } if( isset($_POST['body']) && "" != ($body = $_POST['body'])) {