|
Posted by Steve on 03/01/07 16:44
<rcoan@chaparralboats.com> wrote in message
news:1172764066.801388.35160@h3g2000cwc.googlegroups.com...
| Ok, used this:
|
| $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
| $injections = array('to', 'from', 'cc', 'bcc');
| foreach ($emailInput as $input)
| {
| $filtered = '';
| foreach ($injections as $injection)
| {
| $filtered = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
| $input);
| }
| if ($filtered != $input)
| {
| // we have detection
| // track/log it
| // if this were a function, return false;
| }
|
| }
|
|
| and it seems to work.
good.
| Is there any method of testing it that I can do
| to make sure it is handling everything properly?
set the values for $to, $from, $cc, etc. where you actual DO try to inject
header directive. that means you must first LEARN how hackers do this.
within your if ($filtered != $input) body, just echo to the brower (for
now), that injection was detected. that's your fail scenario. reset your
$to, $from, $cc, etc. variable values where there is no injection and where
the $to is YOUR email address. all is functioning as it should when you
actually receive this email. testing done. any other things you add will of
course need to be tested...such as tracking hackers by ip.
i'd put that code into a function to make it callable else where and reduce
the number of lines it takes to set up both testing scenarios.
| Yeah, I'm lazy Steve, just say whatever makes you feel better about
| yourself. That's real professional.
'just say whatever makes you feel better about yourself.' i don't expect you
to be anything other that what i've seen...which seems lazy. btw, i'm not
saying anything here for my own edification. but again, 'just say
whatever...'.
[Back to original message]
|