Reply to Re: [PHP] [Q] mail() & security

Your name:

Reply:


Posted by Richard Lynch on 04/06/05 04:42

On Mon, April 4, 2005 2:00 pm, Eric Gorr said:
> I wanted to setup a good 'contact me' page on my website. I do not want
> to reveal my e-mail address, so I was going to use a form.
>
> The PHP script with the actual mail() function would define the To and
> Subject parameters, so these could not be faked.
>
> I also plan to use a captcha.

A what?

> The only concern I had was how to process the body text. Any
> recommendations?
>
> One useful function would appear to be strip_tags, so no one could embed
> annoying or destructive HTML, etc. which I may accidentally cause my
> e-mail application to render.

It's possible, though extremely unlikely, that somebody could construct a
malicious email that passes through strip_tags and/or htmlentities and
still does something *bad* for your particular email application.

htmlentities is going to be safe, but will convert HTML enhanced (cough,
cough) email into a bunch of junk you can't even read. Which might be a
morally correct thing to do with HTML email anyway, but probably not all
that useful to even send it at that point.

Since you anticipate such a low volume, and seem concerned that you will
lose valuable info from an HTML-enhanced email, perhaps you should log the
original and provide a link to view it in the email you send to yourself.

So if you REALLY need that "enhanced" email, you can surf to it.

Of course, then your web-server/browser might be attacked by their code
you are viewing/executing (JavaScript).

You may also want to consider using a "throttle" on the form based on
$_SERVER['REMOTE_ADDR'] and if more than X emails are sent in Y hours from
the same IP, refuse to send it and send them to an error page.

I do this on sites where I forward "blind" emails to others, so they can't
get (easily) attacked with a DOS attack on their email by a script kiddie.

Certainly, it can be defeated by somebody who knows how to change their
IP, but it's a small hurdle to weed out some of the more clueless folks
who want to try to abuse your form.

You could also send them a Cookie, again easily defeated by the clueful,
as well as checking their IP to add another hurdle.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация