What's new

ESMB is back. Again.


Con te partirò
Again Ethercat to the rescue. What would we do without you? Seriously, you are gold.



Patron with Honors
You don't have register globals* turned on do you by any chance? That would be one other way they could alter the flow of the script and remove your to, depending upon quite how badly the script is written, e.g. if it's something like

/* $to set to your wanted value up here somewhere */

if($debug){ //$debug not initialised anywhere in script so $debug should always == (but not ===) false. However, spammers need to do is stick a &debug=true into the request querystring or post data, and I think even possibly cookies as well, and bobs yer uncle, if register globals is on

$to = $_POST['to']


/* sends email here */

On normal php setups spammers couldn't exploit this bug because register globals is almost always turned off these days. But it doesn't have to be, particularly if you are using an old php.ini or one you setup to let a very old script run that relied on register globals.

*an infamously stupid "helpful" technology, pretty archaic by now and I think actually entirely removed from the latest versions of php but I dunno what server setup you're running