Re: Newbie php problem
- From: Tim Greer <tim@xxxxxxxxxxxxx>
- Date: Tue, 13 Jan 2009 10:20:26 -0800
Jerry Stuckle wrote:
Raymond Schmit wrote:
On Mon, 12 Jan 2009 04:16:58 +0100, "Floor"
<f.dessing@xxxxxxxxxxxxxxxxxxx> wrote:
Tim Greer:
Do you have any specific email form code you use now, in full (orTo be short, I use a php script (this newsgroups topic :-) and use
the relevant portions anyway) that you could post for people to
make suggestions, or were you looking for any already existing form
mail scripts or code examples?
the values that I generate with the outcome of a simple HTML form.
Please forget the first part of the script, as I do put some extra
headers in it as well...:
<?php
$to = "John Doe <j.doe@xxxxxxxxxxxxx>";
$subject = "Your inquiry";
$from = "From: $_POST[name] <$_POST[email]>\r\n";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: $_POST[name] <$_POST[email]>\r\n";
$message = "
$_POST[name]
$_POST[adress]
$_POST[pcode] $_POST[town]
Message:
$_POST[message]
";
mail($to, $subject, $message, $from);
?>
What sometimes happens, is that I get this empty form that implies
that someone sent the form with spaces, allthough he/she couldn't as
the email has to contain an @ and a dot in it (form behavior in DW).
So then I thought: the script itself has been ran and in order to
prevent doing that I just validate the content(s) of the fields in
the form itself and then break out before I get to the 'mail($to,
$subject, $message, $from); ' line.
My question is: how can I break out in this example script?
Thanks for your time.
-- Floor
To avoid spammers .....don't use:
mail($to, $subject, $message, $from);
You should have used php literals instead of $to, $subject and $from
and replace the $message by a string($concatit) containing :
From: $from
Subject: $subject
Message: $message
Per example:
mail("myself@xxxxxxx, "From myForm", $concatit, "myself@xxxxxxx");
Not at all necessary, if you properly validate your input.
And in his case, the $to is set by him, so there is no problem (it's
not coming from the user).
Yeah, the problem in this case, isn't the To: field, but the From: field
accepting input (seemingly blindly accepting it), which instead of it
being:
$from = "From: Name Here <email@here>\r\n";
It ends up with someone passing \n (or \r\n) and CC: or Bcc: where it
ends up being:
$from = "From: Name Here <email@here>\r\nBcc: email@xxxxxxxxxxx\r\n";
And the email@xxxxxxxxxxx gets a copy of the (spam) email.
I'm sure you know this, but for the sake of the OP and how insecure this
is (this is just one example, of course), so there is a problem wit
hthe data submitted by the user in regard to what they could do.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
.
- Follow-Ups:
- Re: Newbie php problem
- From: Jerry Stuckle
- Re: Newbie php problem
- References:
- Newbie php problem
- From: Floor
- Re: Newbie php problem
- From: Tim Greer
- Re: Newbie php problem
- From: Beauregard T. Shagnasty
- Re: Newbie php problem
- From: Tim Greer
- Re: Newbie php problem
- From: Beauregard T. Shagnasty
- Re: Newbie php problem
- From: Tim Greer
- Re: Newbie php problem
- From: Beauregard T. Shagnasty
- Re: Newbie php problem
- From: Floor
- Re: Newbie php problem
- From: Tim Greer
- Re: Newbie php problem
- From: Floor
- Re: Newbie php problem
- From: Raymond Schmit
- Re: Newbie php problem
- From: Jerry Stuckle
- Newbie php problem
- Prev by Date: Re: Newbie php problem
- Next by Date: Re: Newbie php problem
- Previous by thread: Re: Newbie php problem
- Next by thread: Re: Newbie php problem
- Index(es):
Relevant Pages
|
