|
|
Posted by J.O. Aho on 03/26/07 17:44
Brian wrote:
> Thanks for all your help, you were the only one that didn't seem to go
> off on one. I didn't want to post up loads of code as I have been told
> off for doing that before, but as it's been asked for please see below.
You can always post a link, like www.example.net/myscript.txt
When making a such copy, just remember to remove logins and passwords for
databases.
> Below I have put both blocks of code, 1 generates the random
> image and sets the session ID, that other processes the form, what I
> would like to know is how secure are they, can somebody hack it and
> send out spam via my site?
Looking at the image generator, it seems to be okey, not leaking the random value.
Your validation script seems to be ok too, but there are some things I had
done a bit different. When cheking if a variable is empty, you can use the
empty() and using it together with a isset() can save you from some confusing
error messages. I don't think it's a good use to use '<>' when you can use '!='.
> Lastly can they auto submit to the process script via their own script or
> are the problems I am having being done by a human testing the scripts
> security?
> I was under the impression because the way the random image works they
> would have to be viewing the site in a browser to see the image to know what
> to past over?
I haven't seen the image you generate, if it's too clear, there are software
that can read the text and then use the value in the form (posting form values
can be done automatically, just look at wget).
A stupid question, did you remove your old script?
> if ($error_msg == '' ) {
> $to = strtolower("$to_name <$to_email>\n");
> $from = strtolower("From: $from_name <$from_email>");
> $headers = "MIME-Version: 1.0\n";
> $headers .= "Content-type: text/html; charset=iso-8859-1\n";
> $headers .= $from."\n";
> if ($cc_email <> '') {
> $headers .= strtolower("cc: $cc_name <$cc_email>\n");
> }
Even this has nothing to do with your problem, your header isn't following the
rfc, Cc: and Bcc: should have a capital letter and header lines should be
separated with \r\n, you don't need to add that to the last line in the
header, the mail() fixes it for you. Miss formed headers could lead to that
your mail is tagged as spam.
--
//Aho
Navigation:
[Reply to this message]
|