Hello All,
I have a script to process an inquiry form.(go figure ;)
Anyway, if someone could take a quick look and see if I'm missing
anything obvious or see anything that would allow a breach in
security, I would appreciate it.
Particularly my regex filters may need a third eye to catch something
because they still aggravate my brain tumor to figure out sometimes.
Also, I'd like to turn on taint checking but I believe that my
$ENV{'HTTP_REFERER'} & $ENV{REMOTE_ADDR} are the cause of errors when
I do. If someone could show me how to fix this, I'll name my third
born after you.
Also, before anybody gets their panties in a bundle, I've read all the
banter on this list about validating email addresses & how it can't be
done 100% of the time, the mods to look at & such. I'm just shooting
for a high 80% success. I got fred&[EMAIL PROTECTED] taken care of &
the rest can read my error page telling them to just send me an e-mail
with the info... ;)
Code is below, thanks a bunch!
<CODE>
#!/usr/bin/perl -w
use strict;
use CGI qw(:standard);
$CGI::DISABLE_UPLOADS = 1;
$CGI::POST_MAX = 512 * 1024;
my ($ENV,$sendmail,$time,$name,$email,$subject,$comments,
$bad_name,$bad_email,$bad_subject,$bad_comments);
$sendmail = '/usr/sbin/sendmail';
$time = localtime(time);
$bad_name = param('name');
if ( $bad_name =~ /^([a-zA-Z\s_]+)$/ ) {
$name = $1; }
else {
error();
exit; }
$bad_email = param('email');
if( $bad_email =~ m/\w\S+\@\w\S+\./) {
$bad_email =~ /([\w+\-\&\._]+\@[\w+\.\-_]+)/;
$email = $1; }
else {
error();
exit; }
# A one-word drop-down menu selection for this one. If they try to
# send anything else here... they can bite me ;)
$bad_subject = param('subject');
if ( $bad_subject =~ /^([a-zA-Z]+)$/ ) {
$subject = $1; }
else {
error();
exit; }
$bad_comments = param('comments');
if ( $bad_comments =~ /^([a-zA-Z\d\s\-\.\?!,_]+)$/ ) {
$comments = $1; }
else {
error();
exit; }
if (($ENV{'HTTP_REFERER'} eq "http://www.my-domain.com/contact/index.html";) ||
($ENV{'HTTP_REFERER'} eq "http://my-domain.com/contact/index.html";) ||
($ENV{'HTTP_REFERER'} eq "http://www.my-domain.com/contact/";) ||
($ENV{'HTTP_REFERER'} eq "http://my-domain.com/contact/";))
{
# DO NADA - JUST CONTINUE ON
}
else {
invalid();
exit; }
if(param()) {
open (MAIL, "| $sendmail -t -oi") || die "Can't open $sendmail : $!\n";
print MAIL "To: webmaster\@my-domain.com\n";
print MAIL "From: webmaster\@my-domain.com\n";
print MAIL "Subject: $subject\n\n";
print MAIL "On $time\n";
print MAIL "This information was received:\n\n";
## Personal Information ##
print MAIL "Inquiry Information:\n";
print MAIL "$ENV{REMOTE_ADDR}\n";
if($name) {
print MAIL "Name: $name\n"; }
else { error(); }
if($email) {
print MAIL "E-Mail: $email\n"; }
else { error(); }
if($subject) {
print MAIL "Subject: $subject\n"; }
else { error(); }
if($comments) {
print MAIL "Comments: $comments\n"; }
else { error(); }
close(MAIL);
print "Location: http://www.my-domain.com/thankyou.html\n\n";;
exit; }
print "Location: http://www.my-domain.com/contact/index.html\n\n";;
sub error {
print "Location: http://www.my-domain.com/contact/error.html\n\n";;
}
sub invalid {
print "Location: http://www.my-domain.com/contact/invalid.html\n\n";;
}
</CODE>
--
Best regards,
K.L. Hayes
mailto:[EMAIL PROTECTED]
+=====================================================+
+ "Only two things are infinite, the universe and +
+ human stupidity, and I'm not sure about the former."+
+ -- Albert Einstien +
+=====================================================+
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
