How to to stop hackers abusing forms with php

As already outlined, it is possible for a hacker to hijack a form on your web site and use it to send mail to others AS IF IT ORIGINATED FROM YOUR WEB SITE.  Not only does it look like you're sending spam, you can also get a million complaints that could in turn clog up your mailserver.

The most basic way of acheiving this is to use the php system variable $_SERVER[HTTP_REFERER].  This variable contains the name of the page that called your php script.  If it is NOT the page that contains your form, then someone is trying to hack it.

EXAMPLE:

if ($_SERVER[HTTP_REFERER] != 'http://nameofyourpage.html'){

'Do NOT send a message.

} else {

DO send the message }   

 

The above method has been very effective on this web site, reducing spam to barely a trickle.  The trickle came from people who were prepared to sit there with the page loaded and fill the form out (I guess with cut and paste) and then sending the form to me.

It was remarkably easy to remove the remaining spam completely by looking at the content of the spam - either they all used a small number of domain names (like those ending in .INFO - I have never receieved a genuine message from anyone using an INFO domain suffix, so any mention of an INFO domain is also rejected), or they repeat the URL in the title, or they try and embed HTML in the body of the message.

Each of these is simple enough to counter by using the "if" statements of php and some common variables.  A great source for learning php can be found at  http://us2.php.net/manual/en/index.php or http://webtoman.com/opera/panel/php_reference.html