|
Posted by Malcolm Dew-Jones on 10/08/40 11:26
cmcnaught (cmcnaught@gmail.com) wrote:
: Hi,
: I have a form processing script which sends an email in response to a
: (separate) form submittal. All the input validation is done client
: side javascript.
In other words, no input validation is being done.
: Recently the processing script has been hijacked by
: someone calling it with random email addresses in $_POST['email'] thus
: generating a lot of spurious email spam. I can think of a few ways to
: reduce the possibility of this but I'm posting this to see if I can get
: some ideas on the best way to secure. I'd like to check the processing
: page was called from the form page but I understand that
: $SERVER['HTTP_REFERER'] is not reliable.
HTTP_REFERER is not reliable, and may not even be available. It should
never be used for anything except as a convenience (like providing a
suggested default value in a form).
Hidden variables are easily
: revealed, I'm thinking of using a cookie or a session id. Any
: comments/ideas?
1) check the email address before you send mail to it. Only send mail to
a few addresses that you control.
2) require the users to login before they can send any mail using the
form. The original user signup must include a mail id confirmation so you
"know" who they are (well you never really know). Perhaps track the
amount of mail being sent from each user (tell them you do that!), and the
mail sent from your system should can have a note added telling any
recipient how to report abuses of the mail to you. If a user abuses the
mail then block that user, (and don't allow signups from their confirm
address).
--
This programmer available for rent.
Navigation:
[Reply to this message]
|