Sending spam through my hosting.

[luckylouie]

Hi;

I had an email from my hosting company which said that my account was hacked and one script in images folder is trying to send thousands of spams(file name : "/public_html/images/sm5vy7.php"). they blocked my account and asked me to check if there is any script or code that may cause this problem.
The only server side page I had was a contact.php file that has mail() function in it. the code is like this;

"if( isset($_POST['submit'])) {
$name=$_POST['name'];
$comment=$_POST['comment'];
$email=$_POST['email'];
$phone=$_POST['phone'];
$to = "sample@gmail.com";
$subject = "sample";
$message = "sample";
$from = "$email";
$headers = "Content-type:text;charset=utf-8" . "\r\n";
$headers .= "From: $from" . "\r\n";
mail($to,$subject,$message,$headers);
}"

My question is "can the code I used cause any security problem that someone be able to create a php file in my images folder?"

Thank you in advance
I'm really in a big trouble

[egami]

Yes.
Because the $_POST['email'] is writing to your email headers, which will overwrite your $to.

[luckylouie]

Yes.
Because the $_POST['email'] is writing to your email headers, which will overwrite your $to.

thank you for your answer but I meant how that file could be created there?
my code couldn't create this. (/public_html/images/sm5vy7.php)

[egami]

you must have some kind of upload mechanism in your site somewhere, that doesn't check to make sure that it's just an image.