Please Help!!! My contact form was exploited. What did I do wrong?

system · November 2, 2012, 2:34pm

Please Help!!! My contact form was exploited. What did I do wrong?
I got the PHP code from W3C Tutorials.

<?php function spamcheck($field) { //filter_var() sanitizes the e-mail //address using FILTER_SANITIZE_EMAIL $field=filter_var($field, FILTER_SANITIZE_EMAIL); //filter_var() validates the e-mail //address using FILTER_VALIDATE_EMAIL if(filter_var($field, FILTER_VALIDATE_EMAIL)) { return TRUE; } else { return FALSE; } } if (isset($_REQUEST['email'])) {//if "email" is filled out, proceed //check if the email address is invalid $mailcheck = spamcheck($_REQUEST['email']); if ($mailcheck==FALSE) { echo "Invalid input"; } else {//send email $email = $_REQUEST['email'] ; $subject = $_REQUEST['subject'] ; $message = $_REQUEST['message'] ; mail("[email protected]", "Subject: $subject", $message, "From: $email" ); echo "Thank you for contacting us. We will get back to you shortly"; } } else {//if "email" is not filled out, display the form echo " Email:
Subject:
Message:

"; } ?>

m11 · November 2, 2012, 6:13pm

What happened? I don’t know what you mean by exploited.

Wayne · November 3, 2012, 7:44am

Hi Matt. I am not very good with PHP. I used this PHP Form Code, to create a module, for a Joomla Website. As soon as I installed this module, into the Joomla Website, I was hacked within 30min . . . . As far as I know, the contact form was exploited, or injected.

The Hacker was able to edit all the files stored on the server. He added his code, to all of my .php files , in the header and footer of the website. As far as I know, this was called an Evil Exploit.

I just wanted to know, what I did wrong. Why was the PHP contact form not safe? and Why was it so easy to hack?

Hope you can help.
Thanks

m11 · November 3, 2012, 5:59pm

I don’t believe this form is the cause. Do you happen to have wordpress installed anywhere on the same server?

Wayne · November 3, 2012, 8:19pm

Hi Matt.

Yes, I had WordPress on the same server. How safe is the php form above? Is it safe enough to use? Can I do something to make it more secure ?. . .

m11 · November 3, 2012, 8:22pm

The form is fine. Worst case scenario you might get a ton of emails from bots without a captcha.

Wordpress is most likely what was exploited. I have seen it exploited exactly like that on my own servers before.

Wayne · November 5, 2012, 10:24am

Hi Matt. Thanks for your feedback. I guess it was the wordpress site. Thanks