Re: [PHP] [Q] mail() security
On Mon, April 4, 2005 2:00 pm, Eric Gorr said: I wanted to setup a good 'contact me' page on my website. I do not want to reveal my e-mail address, so I was going to use a form. The PHP script with the actual mail() function would define the To and Subject parameters, so these could not be faked. I also plan to use a captcha. A what? The only concern I had was how to process the body text. Any recommendations? One useful function would appear to be strip_tags, so no one could embed annoying or destructive HTML, etc. which I may accidentally cause my e-mail application to render. It's possible, though extremely unlikely, that somebody could construct a malicious email that passes through strip_tags and/or htmlentities and still does something *bad* for your particular email application. htmlentities is going to be safe, but will convert HTML enhanced (cough, cough) email into a bunch of junk you can't even read. Which might be a morally correct thing to do with HTML email anyway, but probably not all that useful to even send it at that point. Since you anticipate such a low volume, and seem concerned that you will lose valuable info from an HTML-enhanced email, perhaps you should log the original and provide a link to view it in the email you send to yourself. So if you REALLY need that enhanced email, you can surf to it. Of course, then your web-server/browser might be attacked by their code you are viewing/executing (JavaScript). You may also want to consider using a throttle on the form based on $_SERVER['REMOTE_ADDR'] and if more than X emails are sent in Y hours from the same IP, refuse to send it and send them to an error page. I do this on sites where I forward blind emails to others, so they can't get (easily) attacked with a DOS attack on their email by a script kiddie. Certainly, it can be defeated by somebody who knows how to change their IP, but it's a small hurdle to weed out some of the more clueless folks who want to try to abuse your form. You could also send them a Cookie, again easily defeated by the clueful, as well as checking their IP to add another hurdle. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Richard Lynch wrote: On Mon, April 4, 2005 2:00 pm, Eric Gorr said: I wanted to setup a good 'contact me' page on my website. I do not want to reveal my e-mail address, so I was going to use a form. The PHP script with the actual mail() function would define the To and Subject parameters, so these could not be faked. I also plan to use a captcha. A what? http://en.wikipedia.org/wiki/Captcha It is a common technique that I didn't know the official name of for a long time either. The only concern I had was how to process the body text. Any recommendations? One useful function would appear to be strip_tags, so no one could embed annoying or destructive HTML, etc. which I may accidentally cause my e-mail application to render. It's possible, though extremely unlikely, that somebody could construct a malicious email that passes through strip_tags and/or htmlentities and still does something *bad* for your particular email application. Can you give an example? If this would involve taking advantage of some unknown bug in the particular e-mail application I am using, well, I have considered it and since I could be affected via the form or not, I choose to not worry about it. Since you anticipate such a low volume, and seem concerned that you will lose valuable info from an HTML-enhanced email, perhaps you should log the original and provide a link to view it in the email you send to yourself. I am actually not concerned about strip_tags removing useful text...it should be quite obvious that such a thing happened and it would be trivial for me to simply contact the person sending the mail to obtain that useful text (and, of course, to yell at them for sending me HTML :-). So if you REALLY need that enhanced email, you can surf to it. Of course, then your web-server/browser might be attacked by their code you are viewing/executing (JavaScript). You may also want to consider using a throttle on the form based on $_SERVER['REMOTE_ADDR'] and if more than X emails are sent in Y hours from the same IP, refuse to send it and send them to an error page. This is why I plan to use a captcha...when used properly, it can be quite effective against such attacks. Still, what you suggest is an enhancement I will likely implement as well. Thanks for the suggestion. -- == Eric Gorr = http://www.ericgorr.net = ICQ:9293199 == Those who would sacrifice a little freedom for temporal safety deserve neither to be safe or free. -- Benjamin Franklin == Insults, like violence, are the last refuge of the incompetent... === -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
On Tue, April 5, 2005 9:22 pm, Eric Gorr said: It's possible, though extremely unlikely, that somebody could construct a malicious email that passes through strip_tags and/or htmlentities and still does something *bad* for your particular email application. Can you give an example? No, I merely meant theoretically possible in the sense that of all the possible combinations of characters in the universe, *one* of them could do something nasty to your email client, even after strip_tags. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] [Q] mail() security
I wanted to setup a good 'contact me' page on my website. I do not want to reveal my e-mail address, so I was going to use a form. The PHP script with the actual mail() function would define the To and Subject parameters, so these could not be faked. I also plan to use a captcha. The only concern I had was how to process the body text. Any recommendations? One useful function would appear to be strip_tags, so no one could embed annoying or destructive HTML, etc. which I may accidentally cause my e-mail application to render. Any other suggestions? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [Q] mail() security
Eric Gorr mailto:[EMAIL PROTECTED] on Monday, April 04, 2005 2:01 PM said: The only concern I had was how to process the body text. Any recommendations? One useful function would appear to be strip_tags, so no one could embed annoying or destructive HTML, etc. which I may accidentally cause my e-mail application to render. Any other suggestions? Maybe: www.php.net/addslashes www.php.net/htmlentities Whatever you do don't strip out line breaks. I find it really annoying when I neatly format (read use paragraphs) a message in a contact form just to find out that all those pretty line breaks are removed, turning my nice message into a difficult to read blob. Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Chris W. Parker wrote: www.php.net/addslashes I am uncertain what dangerous/annoying things might happen if I did not call this function. Can you come up with any? Remember, the text being processed goes straight from $_POST[ 'body' ] through strip_tags (+ more?) into mail(). It would seem that addslashes would just make the body text look messy for no reason. www.php.net/htmlentities It seems as if strip_tags strip out everything that htmlentities would change and would therefore be unnecessary. -- == Eric Gorr === http://www.ericgorr.net === The more you study, the more you know. The more you know, the more you forget. The more you forget, the less you know. So, why study? - ??? == Insults, like violence, are the last refuge of the incompetent... === -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Eric Gorr wrote: Any other suggestions? Well see this example : function clean_body($body_text) { if(ini_get('magic_quotes_gpc')) $body_text = stripslashes($body_text); // If magic_quotes are on, strip the extra-added slashes return htmlentities($body_text); // Return the value } This is a good way to start, I think. Filtering the input first would be a nice idea too, especeally if there're more input fields ;-) -- Josip Dzolonga http://josip.dotgeek.org jdzolonga[at]gmail.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [Q] mail() security
Eric Gorr mailto:[EMAIL PROTECTED] on Monday, April 04, 2005 3:13 PM said: Remember, the text being processed goes straight from $_POST[ 'body' ] through strip_tags (+ more?) into mail(). Remember? You didn't mention this is your original email so how could I be told to recall this information? In your specific case addslashes() is probably not necessary. It seems as if strip_tags strip out everything that htmlentities would change and would therefore be unnecessary. strip_tags() and htmlentities() both perform seperate functions (hence they have different names). htmlentities() encodes special characters, strip_tags() strips HTML from a string. One example is the following: Original: b/b With strip_tags applied: With htmlentities applied: amp; It may or may not be necessary for you. Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Chris W. Parker wrote: It seems as if strip_tags strip out everything that htmlentities would change and would therefore be unnecessary. strip_tags() and htmlentities() both perform seperate functions (hence they have different names). htmlentities() encodes special characters, strip_tags() strips HTML from a string. One example is the following: Original: b/b With strip_tags applied: With htmlentities applied: amp; It may or may not be necessary for you. What dangerous/annoying things might happen if I did not pass the text intended for the body parameter of the mail function through htmlentities? (But, did pass it through strip_tags) I cannot come up with anything. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Josip Dzolonga wrote: Eric Gorr wrote: Any other suggestions? Well see this example : function clean_body($body_text) { if(ini_get('magic_quotes_gpc')) $body_text = stripslashes($body_text); // If magic_quotes are on, strip the extra-added slashes return htmlentities($body_text); // Return the value } This is a good way to start, I think. Filtering the input first would be a nice idea too, especeally if there're more input fields ;-) htmlentities would potentially make the body text messier then seems necessary. Shouldn't strip_tags be enough? What dangerous/annoying things might happen if I replaced htmlentities with strip_tags in the above function and then passed the body text to the mail() function? I do not mind over doing it and potentially getting rid useful text in the body (strip_tags could do this). People, in general, will not be using this form to contact me often enough for it to matter. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Eric Gorr wrote: Shouldn't strip_tags be enough? What dangerous/annoying things might happen if I replaced htmlentities with strip_tags in the above function and then passed the body text to the mail() function? Nothing, but with htmlentities() you can be sure if the user has tried to inject something malicious :-). -- Josip Dzolonga http://josip.dotgeek.org jdzolonga[at]gmail.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [Q] mail() security
Eric Gorr mailto:[EMAIL PROTECTED] on Monday, April 04, 2005 3:48 PM said: htmlentities would potentially make the body text messier then seems necessary. Then just use strip_tags() and be done with it. It's not like nuclear missiles are going to be launched via your email form if you use the wrong function. Or in a less extreme case, your computer get hijacked and used to send spam because you used htmlentities() instead of strip_tags(). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Chris W. Parker wrote: Or in a less extreme case, your computer get hijacked and used to send spam because you used htmlentities() instead of strip_tags(). Well, this is why I asked the question to begin with. I am concerned (as everyone _should_ be) about such things and desire to do my best to prevent them. Now, as near as I can tell, strip_tags is the only thing one really needs to do to be safe. But, one can use htmlentities to potentially preserve useful text, if it is important to do so and still remain safe - with the downside being having a messier body then may be necessary. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Eric, It sounds like you just need to do some reading on best practices of security when writing php code. It's pretty vast what one can do when trying to hack a php application and depending on what php server settings are set, you may need to do certain things. I'd suggesting reading / google php security and viewing pages like the following to answer your question. It may only answer your question in the long run, but there are many more things to know about besides htmlentities to make sure your application is secure. I actually need to do some reading about them. Once in a while http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ Also events like the following are good to go to expecially if you can get your company to pay for them. http://www.osevents.com/page5.html? Eric Gorr wrote: Chris W. Parker wrote: Or in a less extreme case, your computer get hijacked and used to send spam because you used htmlentities() instead of strip_tags(). Well, this is why I asked the question to begin with. I am concerned (as everyone _should_ be) about such things and desire to do my best to prevent them. Now, as near as I can tell, strip_tags is the only thing one really needs to do to be safe. But, one can use htmlentities to potentially preserve useful text, if it is important to do so and still remain safe - with the downside being having a messier body then may be necessary. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Anthony Tippett wrote: http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ thank you for the suggestion. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Q] mail() security
Anthony Tippett wrote: http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ Actually, I am familiar with everything this document mentions. Unfortunately, this document does not discuss what one might need to be concerned about when passing text to the body parameter of the mail() function. If you have any comments with respect to this (which was my only concern in the original message), please let me know. I haven't found any articles which addresses this particular issue, which is why I posted the question. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php