我的PHP邮件脚本中存在未知的安全漏洞

我有一个邮件脚本，它一直被用来攻击我的网站，并上传攻击者用来传播更多代码的代码。下面是脚本的一个版本。我做错了什么？请帮帮我。每个邮件脚本，甚至是我为插件编写的脚本，都将使用此代码。谢谢

<?php 

$sendto  = "email@email.com";
$subject = "Message from My Website";
$SpamReplaceText = "*"; //this is what will be used to replace unallowed characters in a message

$fullname = filter_var($_POST['fullname'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$telephone = filter_var($_POST['telephone'], FILTER_SANITIZE_NUMBER_INT);
$eventdate = filter_var($_POST['eventdate'], FILTER_SANITIZE_STRING);
$message = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
$headers = "From: \"$fullname\" <$email>\n";
$headers .= "MIME-Version: 1.0\n"
                 . "Content-Transfer-Encoding: 7bit\n"
                 . "Content-type: text/html;  charset = \"iso-8859-1\";\n\n";

$URL = "index.php?place=contact";
$URLQuery = "n=".urlencode(stripslashes($fullname))."&e=".urlencode(stripslashes($email))."&m=".urlencode(stripslashes($message))."&evt=".urlencode($eventdate)."&t=".urlencode($telephone);

if (empty($fullname) || empty($email) || empty($telephone) || empty($message)) {
    header("location: $URL&err=4&".$URLQuery);
    exit;
}

// Check the email address enmtered matches the standard email address format
if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,6}$", $email)) { 
    header("location: $URL&err=1&".$URLQuery);
    exit;
}

// Check for Website URL's in the form input boxes as if we block website URLs from the form,
// then this will stop the spammers wastignt ime sending emails
if (preg_match("/http/i", "$fullname")) {header("location: $URL&err=3&".$URLQuery); exit;} 
if (preg_match("/http/i", "$email")) {header("location: $URL&err=3&".$URLQuery); exit;} 
if (preg_match("/http/i", "$message")) {header("location: $URL&err=3&".$URLQuery); exit;}
if (preg_match("/http/i", "$telephone")) {header("location: $URL&err=3&".$URLQuery); exit;}
if (preg_match("/http/i", "$eventdate")) {header("location: $URL&err=3&".$URLQuery); exit;}

// Patterm match search to strip out the invalid charcaters, this prevents the mail injection spammer 
$pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // build the pattern match string 
$fullname = preg_replace($pattern, "", $fullname); 
$email = preg_replace($pattern, "", $email); 
$message = preg_replace($pattern, "", $message); 
$telephone = preg_replace($pattern, "", $telephone);
$eventdate = preg_replace($pattern, "", $eventdate);

// Check for the injected headers from the spammer attempt 
// This will replace the injection attempt text with the string you have set in the above config section
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i"); 
$email = preg_replace($find, "$SpamReplaceText", $email); 
$fullname = preg_replace($find, "$SpamReplaceText", $fullname); 
$message = preg_replace($find, "$SpamReplaceText", $message); 
$telephone = preg_replace($find, "$SpamReplaceText", $telephone);
$eventdate = preg_replace($find, "$SpamReplaceText", $eventdate);

// Build the email body text
$emailcontent = " 
    ----------------------------------------------------------------------------- <br>
        <b>MESSAGE FROM My Website</b><br>
    ----------------------------------------------------------------------------- <br>
    <b>Name:</b> $fullname <br><br>
    <b>Email:</b> $email <br><br>
    <b>Telephone:</b> $telephone <br><br>
    <b>Event Date:</b> $eventdate <br><br>
    <b>Message:</b> $message 
    <br><br>
    _______________________________________ <br>
    End of Email"; 

// Sends out the email or will output the error message 
if (mail($sendto, $subject, $emailcontent, $headers)) { 
    header("location: $URL&confirm=1");
    exit;
}
else {
    header("location: $URL&err=2&".$URLQuery);
    exit;
}

---

是什么让您认为此脚本易受攻击？
eregi
？如果您使用的函数早在石器时代就被弃用/废弃了，那么您的代码的其余部分可能也被弃用/废弃了……此外，脚本以何种方式受到破坏？它只是发送不需要的邮件吗？或者它被用来公开数据库或文件系统信息？到底是什么让这个脚本容易受到攻击？最后，我建议您使用PHP Mailer或其他邮件库；这些库提供了更好的编程接口，也简化了验证。