我在文件中有以下代码,当变量$action等于某个值时,将一条消息添加到数据库中,然后向用户发送一封电子邮件,通知他们该消息.简单.
在过去几天中,已经向数据库添加了垃圾邮件,并向用户发送了电子邮件,通知他们新邮件.不是很多而不是一次性,只是随机时间和内容,但显然是垃圾邮件.
我设置脚本,以便如果$from变量不等于0然后不继续,但它似乎以某种方式绕过(所有黑客条目进入db show from_userid = 0)
我正在使用cookie来检查用户是否已登录 - 当用户登录cookie时设置.
问题:有什么地方我可以看看我是如何被黑客攻击的,如果我使用session而不是cookie,这会阻止文件被访问/被黑客攻击吗?
下面是代码:
// check a user logged in as soon as file accessed
if (!isset($_COOKIE['cookieName'])) { header("Location: /userlogin.html); }
现在检查$action变量并继续
$action = $_POST['action'];
if (($action=='contact') && ($_POST['from'])){ // AA
require_once '/home/php/lib/setup.inc';
require_once '/home/php/lib/dbconnect.inc';
$from = mysql_real_escape_string($_POST['from']);
$to = mysql_real_escape_string($_POST['to']);
$from_name = mysql_real_escape_string($_POST['from_name']);
$body = mysql_real_escape_string($_POST['body']);
$reply_id = mysql_real_escape_string($_POST['reply_id']);
$body = nl2br($body);
// add message to db
if($from!='0'){ // BB
$additem = mysql_query("
insert into user_messages (
from_userid,
to_userid,
from_name,
message_contents,
reply_to_id,
msg_read
)
VALUES (
'$from',
'$to',
'$from_name',
'$body',
'$reply_id',
'No'
)",$db
);
if(!$additem) { echo mysql_error(); exit; } // debug
// send email notif for message
$result20 = mysql_query("select name, emailaddr from users where (user_id = '$to')",$db);
if(!$result20) { echo 'result error'; echo mysql_error(); exit; } // debug
$databack20 = mysql_fetch_array($result20);
$title = 'title';
$currentdate = date("d");
$month = date("m"); // "02"
$currentmonth = date("F", mktime(0, 0, 0, $month));
$currentyear = date("Y");
$email = file_get_contents('/home/public_html/pages/html_email_templates/buddymessage.php');
$email = str_replace(">name<","$from_name",$email);
$email = str_replace(">name2<","$databack20[name]",$email);
// setting Content-type header
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
// Additional headers
$headers .= 'From: siteName <info@siteName.com>' . "\r\n";
//send mail
mail("$databack20[emailaddr]", "siteName Message", "$email", "$headers");
$success = "Message sent to $databack20[name]";
} // BB
} // AA
这里真正的问题似乎是任何人都可以提交任何POST请求,而且你不会检查它是否真的是他们.这是真的容易使一个机器人,做以下(与使用00中from的替代0,从而绕过你的"安全" -我建议强制转换为int,而不是:$from = (int)$from再检查if ($from > 0),但是这不是你真正的问题):
POST http://www.domain.com/contact.php
行动= 接触&
从= 00&
体= 垃圾&
FROM_NAME = 垃圾邮件发送者及
到= 1POST http://www.domain.com/contact.php
行动= 接触&
从= 00&
体= 垃圾&
FROM_NAME = 垃圾邮件发送者及
到= 2 < -在一个循环永远增加
它甚至可以用PHP编写,如下所示:
<?php
$curlHandle = curl_init();
for ($i = 1; $i < 10000; $i++) {
curl_setopt_array($curlHandle, array(
CURLOPT_URL => "http://www.domain.com/contact.php",
CURLOPT_POST => true,
CURLOPT_COOKIE => "cookieName: yep",
CURLOPT_POSTFIELDS => array(
"action" => "contact",
"from" => rand(1, 10000),
"to" => $i,
"body" => "Spam",
"from_name" => "Spambot"
)
));
curl_exec($curlHandle);
}
?>
所以相反,你应该检查使用$_SESSIONcookie来查看它是谁.也许还限制一个人每隔n分钟才能发送一条消息.