ESMB is back. Again.

Emma

Con te partirò
Administrator
Again Ethercat to the rescue. What would we do without you? Seriously, you are gold.

Thank-You.jpg
 

suspiciousperson

Patron with Honors
You don't have register globals* turned on do you by any chance? That would be one other way they could alter the flow of the script and remove your to, depending upon quite how badly the script is written, e.g. if it's something like

PHP:
/* $to set to your wanted value up here somewhere */

if($debug){ //$debug not initialised anywhere in script so $debug should always == (but not ===) false. However, spammers need to do is stick a &debug=true into the request querystring or post data, and I think even possibly cookies as well, and bobs yer uncle, if register globals is on

$to = $_POST['to']

}

/* sends email here */

On normal php setups spammers couldn't exploit this bug because register globals is almost always turned off these days. But it doesn't have to be, particularly if you are using an old php.ini or one you setup to let a very old script run that relied on register globals.

*an infamously stupid "helpful" technology, pretty archaic by now and I think actually entirely removed from the latest versions of php but I dunno what server setup you're running
 
Top