You are here: Re: [PHP] Blocking Values From an External Source « PHP « IT news, forums, messages
Re: [PHP] Blocking Values From an External Source

Posted by "Matt Stone" on 12/17/05 01:46

----- Original Message -----
From: "Shaun" <shaunthornburgh@hotmail.com>
To: <php-general@lists.php.net>
Sent: Friday, December 16, 2005 7:50 PM
Subject: [PHP] Blocking Values From an External Source


> Hi,
>
> I have a script on my site for processing values sent from a contact form
> and emailing them to the webmaster. The script has been abused by spammers
> and my hosting company has recommended that I change the script to only
> accept information posted from my own URL. Could someone tell me how this
> can be done please?
>

If your script is being abused through mail headers injection, making it
only accept information being posted from your own url won't work.
First set a max length in your "from e mail address" text box and validate
that. For example:

if (strlen($_POST['email']) > SOME_NUMBER ){
die ("E Mail Address Too Long");
}

Next, validate your e mail address to the rfc standard, there's a good
tutorial here: http://www.iamcal.com/publish/articles/php/parsing_email/

If you validate it using the function in the article your form will be
bulletproof as far as headers injection goes as the rfc standard does not
allow a '\' or ':' in the address. If you follow your isp's advice and still
allow invalid input from your form you're leaving yourself wide open to
header injection. For example someone can still input

myemail@somewhere.com\r\nBcc: a_big_list_of_addresses@whereveryouwant.com

into the from address field. Who needs a bot to post that info when a single
click on a form can see your script used to spam a stack of recipients? To
put it another way, is it worth validating the source of your input if
you're not going to validate the input itself?

HTH

Cheers
Matt

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация