|
|
Posted by Dikkie Dik on 12/17/05 19:15
There was a thread about it just one month ago in this newsgroup. Read
http://securephp.damonkohler.com/index.php/Email_Injection
For an explanation of mail injection. Reading this, I suggest that your
first "quick" step is to reject any user supplied mail headers with a
newline character in it. It is best to do that both at the input and the
output side: It is an attack if someone slips a newline in a header (it
is too hard to do with an HTML text input to suggest it was a typo).
But the real error is not wether you accept invalid user data or not,
the real error is that you pass data to the mail function that can have
side effects. So writing a wrapper function for the standard mail()
function, but with extra parameter checks, should prevent a lot of problems.
Best regards
Mike wrote:
> Hello,
> I have a guestbook form that is getting spammed regularly(10 timeds a
> day) by a bot of some kind. I'm in the proccess of picking up PRO PHP
> Security from apress,(Which i need anyway) but I was wondering if anyone has
> a quick fix for this.or point me in the right direction.My client isnt
> happy.
> Thanks
> Mike
>
>
Navigation:
[Reply to this message]
|