doudaochu1699 2018-06-26 19:47
浏览 65
已采纳

我的服务器端PHP在reCaptcha(数百垃圾邮件)之后仍然被黑客入侵

My previous question on StackOverflow was about that someone was sending me hundreds of spam emails every few hours. Now, I fixed the script on the server side but the next morning I still got 30 emails or something and my hosting company gave me a new password to my FTP and moved my index files to a backup map(website offline), they said it was hacked because of the suspicious script below. They said "This often happens via a leaked script in your website, a script that is "out of date". What does that mean? They say in the email that there is something with this script file. Which is impossible to hack in right because I used reCaptcha on the server side, is there something missing?

<?php

if(isset($_POST['g-recaptcha-response'])){
      $captcha=$_POST['g-recaptcha-response'];


      }


/* OUTCOMMENTED CODE BELOW DOESN'T LET FORM SEND IF EVERYTHING IS CHECKED???? 


    if(!$captcha){
          echo '<h2>Check captcha .</h2>';
          exit;
        }*/



    $response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=(SECRETKEY)&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
            if($response.success==false)
            {
                echo '<span id="status" style="font-size:1vmax;color:red;">ReCaptcha ERROR</span>';
            }else
            {

        if( isset($_POST['n']) && isset($_POST['e']) && isset($_POST['mn']) && 

isset($_POST['m']) ){
        $n = $_POST['n']; // HINT: use preg_replace() to filter the data
        $e = $_POST['e'];
        $mn = $_POST['mn'];
        $m = nl2br($_POST['m']);
        $to = "gesternl@gester.nl"; 
        $from = $e;
        $subject = 'Contact Formulier-eng';
        $message = '<b>Naam:</b> '.$n.' <br><b>Email:</b> '.$e.' <br><b>Mobiel-nummer:</b> '.$mn.' <p>'.$m.'</p>';
        $headers = "Van: $from
";
        $headers .= 'MIME-Version: 1.0' . "
";
        $headers .= 'Content-type: text/html; charset=iso-8859-1' . "
";
        if( mail($to, $subject, $message, $headers) ){
            echo "success";
        } else {
            echo "The server failed to send a message. Please try again later. Thank you!";
        }
    }
        }
    ?>

I just uploaded it again to see what is going to happen now. Can someone please help me make this file secure for a hacker. Nobody really helped in the previous question but only gave advice without code (and I am nooby).

(The outcommented code around line 8 doesn't work which i don't understand, does someone know why is that why someone can hack into it maybe?)

And yes the code in the HTML for recaptcha is well linked with the public key

  • 写回答

3条回答 默认 最新

  • doushou7169 2018-06-26 20:28
    关注
    1. You've to sanitizing user input as said @kevin Cai
    2. You've an error in line: if($response.success==false)

      $response=file_get_contents("......");
      
      $result = json_decode($response);
      
      if($result->success==false){
      
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题