----- Original Message -----
From: "Shaun" <[EMAIL PROTECTED]>
To: <php-general@lists.php.net>
Sent: Friday, December 16, 2005 7:50 PM
Subject: [PHP] Blocking Values From an External Source
> Hi,
>
> I have a script on my site for processing values sent from a contact form
> and emailing them to the webmaster. The script has been abused by spammers
> and my hosting company has recommended that I change the script to only
> accept information posted from my own URL. Could someone tell me how this
> can be done please?
>
If your script is being abused through mail headers injection, making it
only accept information being posted from your own url won't work.
First set a max length in your "from e mail address" text box and validate
that. For example:
if (strlen($_POST['email']) > SOME_NUMBER ){
die ("E Mail Address Too Long");
}
Next, validate your e mail address to the rfc standard, there's a good
tutorial here: http://www.iamcal.com/publish/articles/php/parsing_email/
If you validate it using the function in the article your form will be
bulletproof as far as headers injection goes as the rfc standard does not
allow a '\' or ':' in the address. If you follow your isp's advice and still
allow invalid input from your form you're leaving yourself wide open to
header injection. For example someone can still input
[EMAIL PROTECTED]: [EMAIL PROTECTED]
into the from address field. Who needs a bot to post that info when a single
click on a form can see your script used to spam a stack of recipients? To
put it another way, is it worth validating the source of your input if
you're not going to validate the input itself?
HTH
Cheers
Matt
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
