----- Original Message ----- From: Mike Brandonisio Also some comments on what not may be obvious to others in creating a secure script:
1. Only allow the form to send limited data from the form to the form POSTed email address. 2. Better yet do not send an email to the form POSTed email address at all. 3. scrub all POST data for special characters like \n, \r, \0, and comma's. You might even use something like htmlspecialchars() to convert things like <,>, ",', and so on. 4. Do not put the recipient email address as a hidden form input. Put it in the script. ====================================== Something else I'd like to add for text inputs: If you do allow certain tags in blogs, you need to filter out 'style'. e.g. if you allow <strong></strong> or any other tags, some bright spark may insert: <strong style='color:red; font-size:72px'>#&%$ ?##</strong> Another thing I've had is 500 or more "X"s with no spaces. The idea is to make your page wider (if they put enough in) to spoil your page layout. Bob E. Community email addresses: Post message: php-list@yahoogroups.com Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
