SQL Injection?

[focus]

I think someone has used SQL to send lots of emails using the PHP pages i have. i just received 100 emails at the exact same time. Can someone please advise how i can stop this from happening? I have deleted the whole website from the server for the time being so they cannot keep doing it.

My code is below:

PHP Code:

<?php
    

function is_valid_email($from_email)
{
    return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s\'"<>]+\.+[a-z]{2,6}))$#si', $from_email);
} 


$headers =      "From: bla@hotmail.com\r\n";

$headers .=     "MIME-Version: 1.0\r\n"
      . "Content-Type: text/html; charset=\"iso-8859-1\"\r\n"
    . "Content-Transfer-Encoding: 7bit\r\n"; 
    
$to_email = "bla@hotmail.com";
$subject = "Get-Stepping Order";
$productid.=$_POST['productid']."\n" ;
$sneakername.=$_POST['sneakername']."\n" ;
$fullname.=$_POST['fullname']."\n" ;
$size.=$_POST['size'] ."\n" ;
$address.=$_POST['address'] ."\n" ;
$suburb.=$_POST['suburb']."\n" ;
$city.=$_POST['city']."\n" ;
$state.=$_POST['state'] ."\n" ;
$postcode.=$_POST['postcode']."\n" ;
$phone2.=$_POST['phone2']."\n" ;
$phone.=$_POST['phone'] ."\n" ;
$from_email.=$_POST['from_email']."\n" ;
$payment.=$_POST['payment']."\n" ;
$comment.=$_POST['comment']."\n" ;




$message = "


<body>
<b>Sneaker Order:</b><br>
<p>Click on the below image to enlarge it.</p>

<a href='http://i1016.photobucket.com/albums/af289/freshkicks2010/16649.jpg'>
<img src='http://i1016.photobucket.com/albums/af289/freshkicks2010/16649.jpg' width='182' height='135' alt='www.freshkicks.com.au'></a>

<br> <br>

<b>Product ID:</b><br>
$productid

<br> <br>

<b>Sneaker Name:</b><br>
$sneakername

<br> <br>

<b>Full Name:</b><br>
$fullname

<br> <br>

<b>Shoe Size:</b><br>
$size

<br> <br>

<b>Street Address:</b><br>
$address
    
<br> <br>

<b>Suburb:</b><br>
$suburb
    
<br> <br>

<b>City:</b><br>
$city

<br> <br>
    
<b>State:</b><br>
$state
    
<br> <br>

<b>Post Code:</b><br>
$postcode

<br> <br>    

<b>Contact Number</b><br>
$phone

<br> <br>
    
<b>Email:</b><br>
$from_email
    
<br> <br>

<b>Payment Method:</b><br>
$payment
    
<br> <br>

<b>Comment:</b><br>
$comment

<br> <br>

<b>Terms & Conditions:</b><br>
I $fullname, have read and agreed with the terms & conditions.

<br> <br>
<br> <br>







</body>
";
    
    
$sent = mail($to_email, $subject, $message, $headers) ;


?>
  </p>
</p>
<p><br>
  <a href="../../mens.html">Click here to go back to continue shopping</a></p>
</div>

[smithee]

I assume that the e-mails in this code are hard-coded for testing purposes, as you have To and From written as the same e-mail address. In most occasions, if a user is filling out an enquiry form online and an e-mail is sent as a result, this can easily be tampered with by simply what the user types in. Use the function mysql_real_escape_string, as explained here:

http://uk2.php.net/manual/en/functio...ape-string.php

[focus]

Can you please confirm that the below is how i implment that code?

For example:

$to_email= mysql_real_escape_string($_POST['to_email']);
$subject = mysql_real_escape_string($_POST['subject']);
$productid = mysql_real_escape_string($_POST['productid']);

and then under it i'll have

$to_email = "bla@hotmail.com";
$subject = "Get-Stepping Order";
$productid.=$_POST['productid']."\n" ;

[misson]

Don't use mysql_real_escape_string to prepare data for an email; it's only to be used with the old mysql driver (which is very outdated, so you shouldn't be using it) to prepare data for insertion into a database. The code you posted involves no SQL queries, so it can't be vulnerable to SQL injection. User input is only interpolated into the message body, so there's no e-mail injection vulnerability (unless the e-mail order is processed by a program rather than a human, in which case there are better ways of submitting orders than via e-mail). If there is an injection vulnerability in your site, it's not in the code you posted.

The best way of preventing SQL injection in PHP is to use the PDO driver and prepared statements. Prepared statement parameters aren't vulnerable to injection. Read "Writing MySQL Scripts with PHP and PDO".

If you're receiving spam from the form, you need some form of turing test, such as a captcha, to prevent bots from using it to spam you.

<br> isn't semantic (and should be self closed: <br/>); don't use it. A definition list is much more natural in this case;.

HTML Code:

<dl>
<dt>Product ID:</dt><dd>$productid</dd>
<dt>Sneaker Name:</dt><dd>$sneakername</dd>
...

You don't even have to write it all out:

PHP Code:

$fields = array('productid' => 'Product ID', 'shoesize' => 'Shoe Size', ...);

$message = "...
  <dl>" . array_combine(array_flip($fields), array_merge($fields, $_POST))
  . "</dl>..."; 


[focus]

wow nice post! Thanks alot mission!

[smithee]

Hmmm even I learnt something here, although I did get somewhat confused when the post was titled "SQL Injection"... you really know your stuff misson (with just the one "i")

[focus]

Out of curiosity is there anyway to find out the IP of the bot which did it?

ALso is there any reason someone would do something like that to a random site? or they just haven't got anything better to do? lol =S im failing to understand the motive (

[lemon-tree]

ALso is there any reason someone would do something like that to a random site? or they just haven't got anything better to do? lol =S im failing to understand the motive (

There's an awful lot of people on the internet who have no motive to do anything, they just take some sick pride in ruining everyone else's experience.
You probably won't be able to find the IP, even if you did they could probably just change their IP making your attempts a bit useless. The best solution is to learn from this and make sure your scripting is secure.

[callumacrae]

wow nice post! Thanks alot mission!

Misson, not Mission.

XD

~Callum

[misson]

Out of curiosity is there anyway to find out the IP of the bot which did it?

If there's anything in the access log, you could look for repeated IPs. However, the log is apparently disabled on free hosts. Also, if you were attacked by a botnet, there won't be a repeated IP. You might still be able to identify suspicious IPs by using a GeoIP service or using whois. If you have no customers in China or Russia but hundreds of IPs allocated to Chinese or Russian computers, those are probably the culprits.

ALso is there any reason someone would do something like that to a random site? or they just haven't got anything better to do? lol =S im failing to understand the motive (

Spam is about making money.