Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - ki0be

Pages: [1]
1
General discussion / Re: So, ready for WW3?
« on: September 01, 2013, 12:22:29 am »
British, don't care.

2
Hacking and Security / Re: Windows8 : Logon passwords stores in plain text.
« on: September 01, 2013, 12:17:49 am »
Do not get me started on the Windows OS.  I'm running on Windows 7 at the minute and I can honestly say that it's the biggest piece of shit going.  I'll post a thread on how to tighten your window security and link it here soon.

3
Hacking and Security / Re: Most secure email provider ?
« on: January 04, 2013, 10:10:32 am »
I've heard that Google scan all e-mails for keywords, if something interesting should pop up, they intervene.

I'm not much of a conspiracy guy, but this is quite interesting.

http://www.disclose.tv/action/viewvideo/64466/googles_dark_side___google_conspiracy/

This video can also be found on YouTube.

4
Web Oriented Coding / Secure Forms [Spam]
« on: January 04, 2013, 09:58:06 am »
Well, I work at a Web Solutions company and our server has been sending out a lot of spam and we're getting a lot of requests from chinese web servers.  This has lead me to believe that our contact forms are being injected.  I've written some PHP that will only allow the email to be sent if certain conditions are met - here is the code.

(form-check.php - include) Generates random key, saves it in session variable. 
Code: [Select]
<?php
session_start();
function generateKybit ($length 40){
    $bitkey "";
    $possible '123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"£$%^&*()';
    $maxlength strlen($possible);
    
    if ($length $maxlength) {
        $length $maxlength;
    }
    $i 0;
    
    while ($i $length) {
        $char substr($possiblemt_rand(0$maxlength-1), 1);
        if (!strstr($bitkey$char)) {
            $bitkey .=$char;
            $i++;
        }
    }
    return md5($bitkey);
}
$_SESSION['kybit'] = generateKybit();
?>
(do-send.php - action of form | post)

Code: [Select]
<?php
session_start();
$sendto "info@you.com";
$details = array(htmlentities($_POST['name']),$_POST['email'],htmlentities($_POST['phone']));
$message "A person has tried to contact you via your website.\nName: " $details[0] . "\nNumber: " $details[2] . "\nEmail: " $details[1];
if (isset($_SESSION['kybit'])){
    
} else {
    $_SESSION['kybit'] = rand(540);
}
$kybit['client'] = $_SESSION['kybit'];
$kybit['server'] = $_GET['ky'];
if ($kybit['client'] == $kybit['server']){
    if(!filter_var($details[1], FILTER_VALIDATE_EMAIL))
    {
    exit("<div style='font-family:Arial;background-color:#FF7A7A;border:solid 5px #C90000;padding:20px;width:170px;margin:0 auto;'><p><strong>E-mail is not valid.<br/> <a href='index.php'> &laquo; Go Back</a></strong></p>");
    }
    mail($sendto,'Website Enqiry'$message);
    $_SESSION['kybit'] = rand(540);
        echo "<div style='font-family:Arial;background-color:#A6FFA7;border:solid 5px #007A02;padding:20px;width:170px;margin:0 auto;'><p><strong>Email Sent!</strong><br/> <a href='index.php'> &laquo; Go Back</a></strong></p>";
} else {
    echo "<div style='font-family:Arial;background-color:#FF7A7A;border:solid 5px #C90000;padding:20px;width:170px;margin:0 auto;'><p><strong>Invalid Security Token</strong></p>";
}
?>

If the md5 attached via GET matches the md5 sent via POST then the e-mail sends.  If not, it returns an error and does not send the e-mail.  The keys are unique and can only be used once.

Have I wasted my time doing this and if so, is there a quicker alternative to securing forms?  I have considered implementing captcha fields into my forms, but with just shy of 1,000 customers - it's a bit too much hassle (playing with public/private keys, etc.)


Pages: [1]