Re: Stopping Contact Form Injection?
http://bin.cakephp.org/view/510577541 is what I have used in some
cake 1.1 sites
On Jan 16, 2008 8:28 PM, Samuel DeVore <[EMAIL PROTECTED]> wrote:
> I have some code I got somewhere as well I'll go dig it up
>
> Sam D
>
>
>
> On Jan 16, 2008 8:14 PM, squidliberty <[EMAIL PROTECTED]> wrote:
> >
> > Well, I can't move to 1.2 on production sites, but I did take a look
> > at its API and got some ideas. Here is what I added to my PHPMailer
> > component, in case anyone else needs something similar.
> >
> >
> > function cleanArray(&$toClean) {
> > $sanitize = new Sanitize();
> > $header_bits = array('/%0a/i', '/%0d/i', '/Content-Type\:/i', '/
> > Content\-Transfer\-Encoding\:/i', '/charset\=/i', '/mime-version\:/i',
> > '/multipart\/mixed/i', '/bcc\:.*/i','/to\:.*/i','/cc\:.*/i', '/from\:/
> > i', '/\\r/i', '/\\n/i');
> >
> > if (is_array($toClean)) {
> > while (list($k, $v) = each($toClean)) {
> > if (is_array($toClean[$k]))
> > $this->cleanArray($toClean[$k]);
> > else {
> > $v = $sanitize->cleanValue($v);
> > $toClean[$k] = preg_replace($header_bits,
> > '', $v);
> > }
> > }
> > } else return null;
> > }
> >
> >
> > Now, I can just use $this->Email->cleanArray() instead of $sanitize-
> > >cleanArray().
> >
> > > >
> >
>
>
>
> --
> (the old fart) the advice is free, the lack of crankiness will cost you
>
> - its a fine line between a real question and an idiot
>
> http://blog.samdevore.com/archives/2007/03/05/when-open-source-bugs-me/
>
--
(the old fart) the advice is free, the lack of crankiness will cost you
- its a fine line between a real question and an idiot
http://blog.samdevore.com/archives/2007/03/05/when-open-source-bugs-me/
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
I have some code I got somewhere as well I'll go dig it up
Sam D
On Jan 16, 2008 8:14 PM, squidliberty <[EMAIL PROTECTED]> wrote:
>
> Well, I can't move to 1.2 on production sites, but I did take a look
> at its API and got some ideas. Here is what I added to my PHPMailer
> component, in case anyone else needs something similar.
>
>
> function cleanArray(&$toClean) {
> $sanitize = new Sanitize();
> $header_bits = array('/%0a/i', '/%0d/i', '/Content-Type\:/i', '/
> Content\-Transfer\-Encoding\:/i', '/charset\=/i', '/mime-version\:/i',
> '/multipart\/mixed/i', '/bcc\:.*/i','/to\:.*/i','/cc\:.*/i', '/from\:/
> i', '/\\r/i', '/\\n/i');
>
> if (is_array($toClean)) {
> while (list($k, $v) = each($toClean)) {
> if (is_array($toClean[$k]))
> $this->cleanArray($toClean[$k]);
> else {
> $v = $sanitize->cleanValue($v);
> $toClean[$k] = preg_replace($header_bits, '',
> $v);
> }
> }
> } else return null;
> }
>
>
> Now, I can just use $this->Email->cleanArray() instead of $sanitize-
> >cleanArray().
>
> >
>
--
(the old fart) the advice is free, the lack of crankiness will cost you
- its a fine line between a real question and an idiot
http://blog.samdevore.com/archives/2007/03/05/when-open-source-bugs-me/
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
Well, I can't move to 1.2 on production sites, but I did take a look
at its API and got some ideas. Here is what I added to my PHPMailer
component, in case anyone else needs something similar.
function cleanArray(&$toClean) {
$sanitize = new Sanitize();
$header_bits = array('/%0a/i', '/%0d/i', '/Content-Type\:/i', '/
Content\-Transfer\-Encoding\:/i', '/charset\=/i', '/mime-version\:/i',
'/multipart\/mixed/i', '/bcc\:.*/i','/to\:.*/i','/cc\:.*/i', '/from\:/
i', '/\\r/i', '/\\n/i');
if (is_array($toClean)) {
while (list($k, $v) = each($toClean)) {
if (is_array($toClean[$k]))
$this->cleanArray($toClean[$k]);
else {
$v = $sanitize->cleanValue($v);
$toClean[$k] = preg_replace($header_bits, '',
$v);
}
}
} else return null;
}
Now, I can just use $this->Email->cleanArray() instead of $sanitize-
>cleanArray().
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
Use the V1.2 email component it has so far proved to be email header injection safe and it does so automagically. That said, if i am not mistaken PHPMailier also has a method for sanitizing headers HTH Tarique On Jan 16, 2008 8:59 AM, squidliberty <[EMAIL PROTECTED]> wrote: > > I have reason to believe that my contact form is being used to send > bulk spam via an injection exploit. I'm using the PHPMailer component > outlined at > http://bakery.cakephp.org/articles/view/sending-email-with-phpmailer. > > Can anyone tell me whether or not a simple cleanArray() is sufficient > sanitization for posted data? My headers are all hard-coded, so > everything submitted is going into the email body. > > Any advice would be appreciated! > > > -- = Cheesecake-Photoblog: http://cheesecake-photoblog.org PHP for E-Biz: http://sanisoft.com = --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
One trick is not cakePHP related, but you can check to be certain the request came from a page or domain that hosts the form. I've done that in the past and had no problems. You can also pass to the form a key that you validate prior to sending the mail. Again, non-cakePHP related, but definitely will stop spammers. - Keith On Jan 15, 10:29 pm, squidliberty <[EMAIL PROTECTED]> wrote: > I have reason to believe that my contact form is being used to send > bulk spam via an injection exploit. I'm using the PHPMailer component > outlined > athttp://bakery.cakephp.org/articles/view/sending-email-with-phpmailer. > > Can anyone tell me whether or not a simple cleanArray() is sufficient > sanitization for posted data? My headers are all hard-coded, so > everything submitted is going into the email body. > > Any advice would be appreciated! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Stopping Contact Form Injection?
I have reason to believe that my contact form is being used to send bulk spam via an injection exploit. I'm using the PHPMailer component outlined at http://bakery.cakephp.org/articles/view/sending-email-with-phpmailer. Can anyone tell me whether or not a simple cleanArray() is sufficient sanitization for posted data? My headers are all hard-coded, so everything submitted is going into the email body. Any advice would be appreciated! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
