You are here: Re: form processing spammed « PHP Programming Language « IT news, forums, messages
Re: form processing spammed

Posted by Umberto Salsi on 10/08/12 11:26

"cmcnaught" <cmcnaught@gmail.com> wrote:

> Hi,
> I have a form processing script which sends an email in response to a
> (separate) form submittal. All the input validation is done client
> side javascript. Recently the processing script has been hijacked by
> someone calling it with random email addresses in $_POST['email'] thus
> generating a lot of spurious email spam. I can think of a few ways to
> reduce the possibility of this but I'm posting this to see if I can get
> some ideas on the best way to secure. I'd like to check the processing
> page was called from the form page but I understand that
> $SERVER['HTTP_REFERER'] is not reliable. Hidden variables are easily
> revealed, I'm thinking of using a cookie or a session id. Any
> comments/ideas?
> cj

Solution 1. Don't send the email to the browser. Simply, the email should
be "hard-coded" inside your program. If you have two or more address,
define an array $to = array("info@domain.com", "support@domain.com", ...)
(you might define this array inside a file to be included) and send to
the browser a pop-up menu; the value returned from the menu should be
the index to the array $to[]:

include "valid-destination-email-addresses.php";

$i = (int) $_POST['to_idx'];
if( isset( $to[$i] ) ){
mail($to[$i], ...);
} else {
trigger_error("fucking spammer from ". $_SERVER['REMOTE_ADDR'],
E_USER_NOTICE);
}
echo "Message sent, thank you!";


Solution 2. Define a list of valid email addresses inside a file to be
included in your "formmail.php" script. The script will ignore any
destination address that do not appear in this list:

include "valid-destination-email-addresses.php";

$email = (string) $_POST['email'];
if( in_array($email, $to) ) ){
mail($to[$i], ...);
} else {
trigger_error("fucking spammer from ". $_SERVER['REMOTE_ADDR'],
E_USER_NOTICE);
}
echo "Message sent, thank you!";


Solution 3. Send the email address to the client, but protect it with
a MAC (message authentication code), or encrypt it. For example:

define('KEY', "udhrtagcjkfhrgts");

function hidden($name, $value)
{ echo "<input type=hidden name=$name value='$value'>"; }

function MAC($msg)
{ return md5(KEY, md5($msg, KEY)); }

hidden("email", $email);
hidden("mac", MAC($email));

In the formmail.php script you must to check the returned MAC:

$email = (string) $_POST['email'];
$mac = (string $_POST['mac'];

if( $mac == MAC($email) ){
mail($email, ...);
} else {
trigger_error(...);
}


Ciao,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация