|
|
Posted by totalstranger on 08/29/06 09:49
On or about 8/29/2006 1:14 AM, it came to pass that onembk wrote:
> On 2006-08-28 17:07:49 -0600, jwhitley31NOSPAM@colo.edu (J W) said:
>
>> Hello,
>>
>> I am kind of a newb to php and could use some help. I have made a
>> form to email php page that uses the mail function to send me the
>> results of a form. The php portion looks like this:
>>
>> <?PHP
>> if ($submit) {
>> $Address = !empty($Address) ? $Address : 'NA';
>> $Address2 = !empty($Address2) ? $Address2 : 'NA';
>> $City = !empty($City) ? $City : 'NA';
>> $State = !empty($State) ? $State : 'NA';
>> $Country = !empty($Country) ? $Country : 'NA';
>> $Postal = !empty($Postal) ? $Postal : 'NA';
>> $Phone = !empty($Phone) ? $Phone : 'NA';
>> $Company = !empty($Company) ? $Company : 'NA';
>> $EmailNot = !empty($EmailNot) ? $EmailNot : 'NO';
>> $today = date("m/d/y"); mail("me@mydomain.com",
>> "Info on $Regarding",
>> "A User has submitted a Contact form on Mydomain.com
>> on $today
>> ================================================
>> Name: $FName $LName
>> Email: $Email
>> Address: $Address
>> $Address2
>> $City
>> $State
>> $Country
>> $Postal
>> Phone: $Phone
>> Company: $Company
>> Message: $Comment
>> Referer: $Referer
>> Opt-Out: $EmailNot",
>> "From: $FName $LName <$Email>");
>> header ("location: thanks.html");
>> } // end if they hit "Submit"
>> ?>
>>
>> Later on the page is the form itself (edited for brevity):
>>
>> <form name="contactinfo" method="post">
>> (various input areas)
>> </form>
>>
>> I know that as is this page isn't secure from a spammer exploiting it
>> for their own purposes. Can someone help me clean it up to protect
>> against that kind of thing? I believe the input data has to be
>> validated / scrubbed or something? I've been googling and while I
>> understand the concept I'm not quite getting how to do it within the
>> framework of what I have already created,
>>
>> Thanks much.
>
> You will need to verify that a hacker hasn't injected extra lines into
> your To/CC/BCC/From/Subject fields. Looking at your code above I'd be
> most concerned about the $Regarding variable as it could be used for
> this. Here is a simple example:
>
> if (stristr($Regarding, '\n') !== false || stristr($Regarding, '\r') !==
> false || stristr($Regarding, "\n") !== false || stristr($Regarding,
> "\r") !== false || stristr($Regarding, '%0A') !== false) {die("hacker");}
>
> Note '\r' is the string \r while "\r" is a carriage return, "\n" means
> newline and '%0A' aslo creates a newline. If $Regarding was equal to
> "spam subject%0ABcc: someoneselse@somewhereelse.com" I could send
> someoneelse@somewhereelse.com some spam since everything after 'spam
> subject' is on a separate line. Email protocols would see this as a
> separate email header. This applies to any field a user has access to
> other than the actual body of the email.
>
> See http://www.w3schools.com/php/php_secure_mail.asp The example there
> nicer than mine.
>
Here's the script I use to validate email addresses. Got it originally
someplace on the web and added code to do a dns check.
<?php
function IsEmailSyntaxValid($addr)
{
list($local, $domain) = explode("@", $addr);
$pattern_local =
'^([0-9a-z]*([-|_]?[0-9a-z]+)*)(([-|_]?)\.([-|_]?)[0-9a-z]*([-|_]?[0-9a-z]+)+)*([-|_]?)$';
$pattern_domain =
'^([0-9a-z]+([-]?[0-9a-z]+)*)(([-]?)\.([-]?)[0-9a-z]*([-]?[0-9a-z]+)+)*\.[a-z]{2,4}$';
$match_local = eregi($pattern_local, $local);
$match_domain = eregi($pattern_domain, $domain);
if ($match_local && $match_domain && checkdnsrr($domain, 'MX'))
return true;
else
return false;
}
?>
Navigation:
[Reply to this message]
|