Posted by Umberto Salsi on 11/15/12 11:26

"cmcnaught" <cmcnaught@gmail.com> wrote:

> Hi,
> I have a form processing script which sends an email in response to a
> (separate) form submittal. All the input validation is done client
> side javascript. Recently the processing script has been hijacked by
> someone calling it with random email addresses in $_POST['email'] thus
> generating a lot of spurious email spam. I can think of a few ways to
> reduce the possibility of this but I'm posting this to see if I can get
> some ideas on the best way to secure. I'd like to check the processing
> page was called from the form page but I understand that
> $SERVER['HTTP_REFERER'] is not reliable. Hidden variables are easily
> revealed, I'm thinking of using a cookie or a session id. Any
> comments/ideas?
> cj

Solution 1. Don't send the email to the browser. Simply, the email should
be "hard-coded" inside your program. If you have two or more address,
define an array $to = array("info@domain.com", "support@domain.com", ...)
(you might define this array inside a file to be included) and send to
the browser a pop-up menu; the value returned from the menu should be
the index to the array $to[]:

include "valid-destination-email-addresses.php";

$i = (int) $_POST['to_idx'];
if( isset( $to[$i] ) ){
mail($to[$i], ...);
} else {
trigger_error("fucking spammer from ". $_SERVER['REMOTE_ADDR'],
E_USER_NOTICE);
}
echo "Message sent, thank you!";


Solution 2. Define a list of valid email addresses inside a file to be
included in your "formmail.php" script. The script will ignore any
destination address that do not appear in this list:

include "valid-destination-email-addresses.php";

$email = (string) $_POST['email'];
if( in_array($email, $to) ) ){
mail($to[$i], ...);
} else {
trigger_error("fucking spammer from ". $_SERVER['REMOTE_ADDR'],
E_USER_NOTICE);
}
echo "Message sent, thank you!";


Solution 3. Send the email address to the client, but protect it with
a MAC (message authentication code), or encrypt it. For example:

define('KEY', "udhrtagcjkfhrgts");

function hidden($name, $value)
{ echo "<input type=hidden name=$name value='$value'>"; }

function MAC($msg)
{ return md5(KEY, md5($msg, KEY)); }

hidden("email", $email);
hidden("mac", MAC($email));

In the formmail.php script you must to check the returned MAC:

$email = (string) $_POST['email'];
$mac = (string $_POST['mac'];

if( $mac == MAC($email) ){
mail($email, ...);
} else {
trigger_error(...);
}


Ciao,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

[Back to original message]