Re: Security Question — PHP Programming Language

You are here: Re: Security Question « PHP Programming Language « IT news, forums, messages

Posted by Darko on 11/21/07 03:07

On Nov 20, 11:34 pm, ll...@harold.invalid (Lloyd Harold) wrote:
> I've noticed that the following HTML form and PHP script are being used
> on a site to which I contribute.
>
> Do they pose a security risk?
>
> The HTML Form
>
> <form name="FormName" method="POST" action="formprocess.php">
>
> Name <input type="text" name="name">
> Email<input type="text" name="email">
>
> <input type="SUBMIT" name="submit" value="OK">
> </form>
>
> The PHP (formprocess.php)
>
> $email = $HTTP_POST_VARS[email];
> $mailto = "em...@domain.com";
> $mailsubj = "Email Subject";
> $mailhead = "From: $email\n";
>
> reset ($HTTP_POST_VARS);
>
> $mailbody = "Values submitted from web site form:\n";
>
> while (list ($key, $val) = each ($HTTP_POST_VARS)) //wrapping
> { $mailbody .= "$key : $val\n"; }
>
> if (!eregi("\n",$HTTP_POST_VARS[email])) //wrapping
> { mail($mailto, $mailsubj, $mailbody, $mailhead); }

One should have access to mail() function source to conclude whether
this is a security
issue or not. Maybe php.net has some advices on its usage?

I'm thinking about mail protocol, and it's pretty fragile:
From x@y.z
to: ...
from: ...
reply-to: ...
........
........
<empty line>
From m@n.o
to: ...

etc. So, one could trick it by sending another "From ..." after a
newline, where it's not supposed to
be (as the "From" is usually escaped in the mail text block if it's at
the beginning of a line), but
I doubt PHP mail function is not doing that already. That'd be too
simple.

I don't know. I have few other remarks, though, about your code:
- don't use $HTTP_POST_VARS, they're deprecated, use $_POST instead
- don't use $array[email], use $array["email"]. When php encounters
such thing as array index,
it first tries to find a constant named email, and if it can't, it
assumes it was supposed to
be in between quotes ("email") and uses it as such. This is not
recommended, however, since sometimes
the index can match a constant's name and you will have a headache
with finding the bug.

Regards

Navigation:

Next in forum: Re: Clearing the "form submit" cache: how?
Prev in forum: Re: PHP compared to Java/J2EE
Thread view: Re: Security Question

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация