Re: Stopping Contact Form Injection?
http://bin.cakephp.org/view/510577541 is what I have used in some cake 1.1 sites On Jan 16, 2008 8:28 PM, Samuel DeVore <[EMAIL PROTECTED]> wrote: > I have some code I got somewhere as well I'll go dig it up > > Sam D > > > > On Jan 16, 2008 8:14 PM, squidliberty <[EMAIL PROTECTED]> wrote: > > > > Well, I can't move to 1.2 on production sites, but I did take a look > > at its API and got some ideas. Here is what I added to my PHPMailer > > component, in case anyone else needs something similar. > > > > > > function cleanArray(&$toClean) { > > $sanitize = new Sanitize(); > > $header_bits = array('/%0a/i', '/%0d/i', '/Content-Type\:/i', '/ > > Content\-Transfer\-Encoding\:/i', '/charset\=/i', '/mime-version\:/i', > > '/multipart\/mixed/i', '/bcc\:.*/i','/to\:.*/i','/cc\:.*/i', '/from\:/ > > i', '/\\r/i', '/\\n/i'); > > > > if (is_array($toClean)) { > > while (list($k, $v) = each($toClean)) { > > if (is_array($toClean[$k])) > > $this->cleanArray($toClean[$k]); > > else { > > $v = $sanitize->cleanValue($v); > > $toClean[$k] = preg_replace($header_bits, > > '', $v); > > } > > } > > } else return null; > > } > > > > > > Now, I can just use $this->Email->cleanArray() instead of $sanitize- > > >cleanArray(). > > > > > > > > > > > > -- > (the old fart) the advice is free, the lack of crankiness will cost you > > - its a fine line between a real question and an idiot > > http://blog.samdevore.com/archives/2007/03/05/when-open-source-bugs-me/ > -- (the old fart) the advice is free, the lack of crankiness will cost you - its a fine line between a real question and an idiot http://blog.samdevore.com/archives/2007/03/05/when-open-source-bugs-me/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
I have some code I got somewhere as well I'll go dig it up Sam D On Jan 16, 2008 8:14 PM, squidliberty <[EMAIL PROTECTED]> wrote: > > Well, I can't move to 1.2 on production sites, but I did take a look > at its API and got some ideas. Here is what I added to my PHPMailer > component, in case anyone else needs something similar. > > > function cleanArray(&$toClean) { > $sanitize = new Sanitize(); > $header_bits = array('/%0a/i', '/%0d/i', '/Content-Type\:/i', '/ > Content\-Transfer\-Encoding\:/i', '/charset\=/i', '/mime-version\:/i', > '/multipart\/mixed/i', '/bcc\:.*/i','/to\:.*/i','/cc\:.*/i', '/from\:/ > i', '/\\r/i', '/\\n/i'); > > if (is_array($toClean)) { > while (list($k, $v) = each($toClean)) { > if (is_array($toClean[$k])) > $this->cleanArray($toClean[$k]); > else { > $v = $sanitize->cleanValue($v); > $toClean[$k] = preg_replace($header_bits, '', > $v); > } > } > } else return null; > } > > > Now, I can just use $this->Email->cleanArray() instead of $sanitize- > >cleanArray(). > > > > -- (the old fart) the advice is free, the lack of crankiness will cost you - its a fine line between a real question and an idiot http://blog.samdevore.com/archives/2007/03/05/when-open-source-bugs-me/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
Well, I can't move to 1.2 on production sites, but I did take a look at its API and got some ideas. Here is what I added to my PHPMailer component, in case anyone else needs something similar. function cleanArray(&$toClean) { $sanitize = new Sanitize(); $header_bits = array('/%0a/i', '/%0d/i', '/Content-Type\:/i', '/ Content\-Transfer\-Encoding\:/i', '/charset\=/i', '/mime-version\:/i', '/multipart\/mixed/i', '/bcc\:.*/i','/to\:.*/i','/cc\:.*/i', '/from\:/ i', '/\\r/i', '/\\n/i'); if (is_array($toClean)) { while (list($k, $v) = each($toClean)) { if (is_array($toClean[$k])) $this->cleanArray($toClean[$k]); else { $v = $sanitize->cleanValue($v); $toClean[$k] = preg_replace($header_bits, '', $v); } } } else return null; } Now, I can just use $this->Email->cleanArray() instead of $sanitize- >cleanArray(). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
Use the V1.2 email component it has so far proved to be email header injection safe and it does so automagically. That said, if i am not mistaken PHPMailier also has a method for sanitizing headers HTH Tarique On Jan 16, 2008 8:59 AM, squidliberty <[EMAIL PROTECTED]> wrote: > > I have reason to believe that my contact form is being used to send > bulk spam via an injection exploit. I'm using the PHPMailer component > outlined at > http://bakery.cakephp.org/articles/view/sending-email-with-phpmailer. > > Can anyone tell me whether or not a simple cleanArray() is sufficient > sanitization for posted data? My headers are all hard-coded, so > everything submitted is going into the email body. > > Any advice would be appreciated! > > > -- = Cheesecake-Photoblog: http://cheesecake-photoblog.org PHP for E-Biz: http://sanisoft.com = --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Stopping Contact Form Injection?
One trick is not cakePHP related, but you can check to be certain the request came from a page or domain that hosts the form. I've done that in the past and had no problems. You can also pass to the form a key that you validate prior to sending the mail. Again, non-cakePHP related, but definitely will stop spammers. - Keith On Jan 15, 10:29 pm, squidliberty <[EMAIL PROTECTED]> wrote: > I have reason to believe that my contact form is being used to send > bulk spam via an injection exploit. I'm using the PHPMailer component > outlined > athttp://bakery.cakephp.org/articles/view/sending-email-with-phpmailer. > > Can anyone tell me whether or not a simple cleanArray() is sufficient > sanitization for posted data? My headers are all hard-coded, so > everything submitted is going into the email body. > > Any advice would be appreciated! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Stopping Contact Form Injection?
I have reason to believe that my contact form is being used to send bulk spam via an injection exploit. I'm using the PHPMailer component outlined at http://bakery.cakephp.org/articles/view/sending-email-with-phpmailer. Can anyone tell me whether or not a simple cleanArray() is sufficient sanitization for posted data? My headers are all hard-coded, so everything submitted is going into the email body. Any advice would be appreciated! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---