On Thu, September 28, 2006 2:06 pm, tedd wrote: > I realize that you are not asking for an answer, but for a guide -- > however -- isn't the real problem here simply one of injection? Just > stop the user from injecting stuff in the subject and that would fix > it right? Or, am I underestimating the problem?
Underestimating. Stopping header injection is only one step of a potential world of problems. Consider that the user could provide *ANY* string, of any size, of any composition, for their "Subject" Maybe they POST a worm in Subject, and it has no newlines, but still manages to propogate through Outlook. Or maybe it's just a nice subject in Japanese. I know nada about Unicode, uuencode, and all that crap. Or, maybe, it's not even a VALID subject for SMTP, for whatever the arcana rules of SMTP-ness are. My contention is that the lowly application developer (me) should not need a degree in i18n nor SMTP just to pass on a valid SMTP subject in an email. For *any* data that PHP has to pass back and forth in its "glue" there are potentials for the kind of problems we've seen with spam, site defacing, viruses, etc. What I'm suggesting is that in addition to mysql_escape[_real]_string, maybe there needs to be more "escape" string functions. I believe JSON is one such in the pipeline, for Javascript string escaping? Or am I mis-remembering? It just seems to me that if we manage to lock down email and MySQL, the Bad Guys are just gonna turn to the next biggest (most-used) extension and look for exploits there. So with all these potential issues, I'm wondering if there isn't a more systemic approach to this. Plus, for the functions that we *DO* have, a grid of "from" and "to" and the appropriate converter function seems like it would be a Good Idea. It's all to easy to find a problem like ' where addslashes seems like the "right answer" but, in reality, what I do not know is that ~ is also a special character to the [mumble] extension/protocol/whatever and I'm using the wrong escape function. There are 2 reasons why I'm not using the right escape function. #1. The right one just plain doesn't exist. #2. The docs, wonderful as they are, don't really lay out something as fundamental as the right escape function for situation X, because you need a degree in CS just to "know" that X is really a Y so the right function is Z. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
