On Dec 8, 2005, at 3:27 AM, David Dorward wrote:
On Wed, Dec 07, 2005 at 01:19:59PM -0600, Bill Stephenson wrote:
Nor should you allow new lines ...
$subject = "User entered data with\nBCC: spam victim
<[EMAIL PROTECTED]>"
I wasn't aware of that problem. I'm guessing that using CGI.pm to
parse
input helps solve that problem. Is this correct?
No. There are plenty of times when you *want* to allow new lines in
user input, even just sticking to the rather narrow field of form
processors that send email, you often want to allow the user to enter
multiple lines of text (in the message body).
I tried your example and could not get it to send the email to the
spammed address. It just stuck it in the subject line like it should
have.
I don't have anything special in the script to filter the newline.
Here's the relevant code I use:
use CGI;
use Mail::Sendmail;
if ($Q->param('to_email') ne "" or $Q->param('cc_email') ne "") {
my %mail = ( To => $Q->param('to_email'),
Cc => $Q->param('cc_email'),
Bcc => "$user_email",
From => "$user_email",
Subject => $Q->param('subject_email'),
Message => $Q->param('message_email')
);
sendmail(%mail) or &error_trap($message= "$Mail::Sendmail::error
100-4"); }
This also allows new lines in the message body.
Using a prewritten, well-tested formmailer (such as NMS) is a good way
to solve the problem.
Yes, but learning how to write a safe script, and testing it, is good
too. I've always trusted CGI.pm to parse user input. NMS has it's own
way of doing this and I've never been 100% comfortable with that (I've
never compared it to CGI.pm though, for all I know, they borrowed code
from it and there may be no significant difference at all).
Kindest Regards,
--
Bill Stephenson
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
