Re: My contact form is not emailed to me [message #173567 is a reply to message #173565] |
Tue, 19 April 2011 02:58 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/18/2011 10:30 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:iofj5t$7gi$1(at)dont-email(dot)me...
>
>> On 4/17/2011 3:58 PM, MG wrote:
>
>>> This one is worth reading
>>> http://www.damonkohler.com/2008/12/email-injection.html
>
>> Some good descriptions on how it can happen. But one needs to
>> read the comments at the end, also - there are several problems
>> with his proposed solutions.
>
> I found the article very interesting. As a "casual" newbie user of PHP I
> don't fully understand all the issues, but I can see that it can be a
> real problem if a hacker really wants to make trouble. My application
> requires a user to provide a name and email address from a hard-coded
> list, and also a password, before data can be entered. If that is
> successful, I set a file lock which blocks any subsequent attempts to
> access the script, and I add a deliberate 5 or 10 second delay before
> completing the processing and releasing the file lock.
>
> I also run the user input through a filter: http://htmlpurifier.org/
> which seems to work pretty well. I suppose nothing is totally secure,
> but this is designed for only a small group of trusted members, and is
> not really used very much. In fact, the only ones to have used it over
> the last several months have been myself (for testing), and one or two
> members as they were learning how to use it.
>
> Paul
Just remember - never trust ANYTHING from the user. You may have email
addresses hardcoded into your forum. But there is NOTHING which says
the request has to come from YOUR form. They can make up any form they
want and send whatever data they want to your page.
And I don't use htmlpurifier, but I would be very surprised if they were
to take out stuff which could be used to make your site a spam relay.
After all, things like newline characters are quite valid input values.
It's how they are used which makes a difference. And htmlpurifier
doesn't know how you're going to use it.
And finally - "only a small group of trusted members" is one of the most
famous lines used by people who got their website hacked. That may be
your intent. But hackers are good at getting around restrictions,
especially if you're not sure of what you're doing.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|