Category: ‘PHP’


Posted on February 13th, 2014

Connecting to Another MySQL Database With WordPress

MySQL & WordPressA recent project required that I access data from a separate database, in a custom WordPress page template. The data also needed to be retrieved before the opening <html> tag. By opening another database connection here, WordPress threw a fit, and failed to load the page’s menus. After hours to troubleshooting and searching for answers on countless forums, I finally found a solution…

Read the full post…


Posted on January 13th, 2006

Using PHP on Pages with HTML Extensions

Recently I wanted to use PHP includes in an existing site so I could make updates to common parts of the site faster by editing one file (e.g.: header, navigation, footer, etc.). The problem was the site was designed with all pages ending in .html. Of coarse I could have changed all the pages to .php but the site has very good search engine rankings, and many other sites already link to these .html pages. After a little research, I found the solution to be the .htaccess file.

Since pages without a .php-extension will not be parsed by PHP by default on most web servers, you need to tell it to treat all HTML pages as PHP pages. You do this by simply adding a line to the .htaccess file located in your site’s root directory (or create a .htaccess file using a text editor). Just add:

AddType application/x-httpd-php .php .html .htm

Note: .htaccess files need to be placed in each directory that will make use of PHP in .html pages.

Update: If you get an 500 Internal Server Error try:

AddHandler application/x-httpd-php .php .html .htm

Posted on September 13th, 2005

PHP Mail Form Email Injection Hijack

Spam is one thing, but hijacking form mail scripts and spoofing other people’s domains and email is downright wrong. We need tough(er) penalties against these guys.

Lately my customers and I had been receiving hundreds of email sent from the forms on our sites. All form fields were filled out with email addresses from the domain in which it was sent. After checking the headers it was found that most had a BCC address of jrubin3546@aol.com.

After a little research, and a heads up by a fellow website designer in my area, it looks like this automated hijack is going to become a very big and widespread problem.

Hijack Overview

The “attacker” sends an automated bot to exploit unchecked fields in contact forms. It works by assuming a field used in an email header (e.g.: “From:” or “Subject:”) is passed unchecked to the mail subsystem. Appending a newline characters and more header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam messages. Currently it seems to be just phishing for vulnerable scripts sending emails via Bcc.

Current List of Bcc Recipients (in alphabetical order):

angelrrsmr@aol.com
bergkoch8@aol.com
cameronmtc@aol.com
damnitmayn@aol.com
Homeiragtime@aol.com
Homeragtime@aol.com
jrubin3546@aol.com
jshmng@aol.com
killerhamster@punkass.com
kolyathekid1@aol.com
kshmng@aol.com
kshmng@aol.com
lshmng@aol.com
mhkoch321@aol.com
wnacyiplay@aol.com
wolfione@aol.com
wwjdkid14@aol.com

The Fix?

It seems that stripping fields for carriage return (r) and newline characters (n) used directly in email headers resolves the problem. Note all your Post-Data variables (var) must be protected:

if (eregi ("r", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("n", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("Content-Transfer-Encoding", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}

For even more protection add:

if (eregi ("MIME-Version", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("Content-Type", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}

More Information

Crack Attempt to Relay Spam