|
Posted by I Hate Stock Spams on 10/02/29 11:34
This question has also come up recently in news.admin.net-abuse.email so I
have cross posted the following excellent answer to nanae.
In response to a question about the recent control character/bcc: injection
epidemic in web mail forms, Justin Koivisto <justin@koivi.com> posted in
comp.lang.php and php.general:
> Some things that I like to do when processing forms...
>
> On the page that has the form, generate some kind of token, store and
> send with request:
>
> <?php
> session_start();
> $token = md5('my secret'.microtime().'other secret');
> $_SESSION['token'] = $token;
> echo '<input type="hidden" name="token" value="',$token,'" />";
> ?>
>
> on the receiving page...
>
> <?php
> session_start();
> if(isset($_POST['token']) && $_SESSION['token']==$_POST['token']){
> // this POST request should be a submission of my form, not a spoof
> }else{
> // the form submission was spoofed...
> }
> ?>
>
> In addition to that, I also do some flat-out rejection stuff as well...
> Since I know the fields and what to expect, I run this test on all
> fields that should NOT contain a line break of any type:
>
> if(preg_match('`[\r\n]`',$_POST['fieldname'])){
> // here, we found a newline or carriage return
> // corrupted data should be set to empty string
> $_POST['fieldname']='';
>
> // decide how to handle this condition...
> }
>
> Most of the time if I find this, I'll report an error and ask for
> resubmission, but in some cases (depending on the application) I will
> simply kill execution.
>
> --
> Justin Koivisto, ZCE - justin@koivi.com
> http://koivi.com
-=-
This message was sent via two or more anonymous remailing services.
Navigation:
[Reply to this message]
|