You are here: Re: Contact Form Spam « PHP Programming Language « IT news, forums, messages
Re: Contact Form Spam

Posted by Manuel Lemos on 01/24/08 05:33

Hello,

on 01/24/2008 03:21 AM Shelly said the following:
> The calling code is (The constants are defined earlier. Also, $fld is
> an instance of a class that contains information about all of the
> fields on the form. The last three are not on the form and the
> security field was not part of $fld.)
> ====================
> $mail = new htmlMimeMail();
> $mail->setFrom(MAIL_FROM);
> $mail->setBcc(MAIL_CC);
> $mail->setSubject(MAIL_SUBJECT);
> $i = 0;
> $message = "";
>
> $html = '<body bgcolor="#CCFFCC">' .
> '<strong>From: </strong>' . MAIL_FROM . '<webmaster@' . MAIL_FROM .
> '.com><br>' .
> '<strong>Sent: </strong>' . MAIL_SENT . "<br>" .
> '<strong>To: </strong>' . MAIL_TO . "<br>" .
> '<strong>Subject: </strong>' . MAIL_SUBJECT . "<br>" .
> '<table border="1" align="center"><caption align="top"><b>' .
> MAIL_SUBJECT . '</b></caption><br>';
>
> for ($i=0; $i<$fld->size; $i++) {
> $message .= $fld->fldDisplay[$i] . ": " . $fld->fldVal[$fld-
>> fldName[$i]] . "\r\n";
> $html .= '<tr><th>' . $fld->fldDisplay[$i] . '</th><td>' .
> $fld->fldVal[$fld->fldName[$i]] . '</td></tr>';
> }
>
> $html .= '<tr><th>Security Code Generated</th><td>' .
> $_POST['securityHidden'] . '</td></tr>';
> $html .= '<tr><th>Security Code Entered</th><td>' .
> $_POST['securityCode'] . '</td></tr>';
> $html .= '<tr><th>User IP Address</th><td>' . getenv("REMOTE_ADDR") .
> '</td></tr>';
> $html .= '</table></body>';

I don't know if that is enough to explain it, but you are not encoding
the values that you insert in the HTML message.

If any values start with < the mail program will process as a tag and
may not render anything. So the actual code may be there but is not
being displayed because it is taken as a tag.

Even parts of your static HTML will be omitted like this:

'<webmaster@' . MAIL_FROM .'.com><br>'

All you need to do is to use HtmlSpecialChars() to properly encode your
values in HTML.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

 

Navigation:

[Reply to this message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация