Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.php > #1252

Re: My contact form is not emailed to me

From "P E Schoen" <paul@pstech-inc.com>
Newsgroups comp.lang.php
Subject Re: My contact form is not emailed to me
Date 2011-04-21 04:04 -0400
Organization Aioe.org NNTP Server
Message-ID <ioooe5$pbr$1@speranza.aioe.org> (permalink)
References (11 earlier) <iojo5j$jpo$1@dont-email.me> <ion660$6je$1@speranza.aioe.org> <ionh8d$qbc$1@dont-email.me> <ions8c$1j2$1@speranza.aioe.org> <ioo965$qfj$1@dont-email.me>

Show all headers | View raw

"Jerry Stuckle"  wrote in message news:ioo965$qfj$1@dont-email.me...

> Subject does not require an "authorized name".  It an easily be
> used for injection.

Here is how I perform the authentication of the name and email, and the 
password:

if ( !array_key_exists( strtolower( $in['Full_Name'] ), $Passcodes ) )
    { HTMLdie("Incorrect Full Name " . htmlspecialchars($in['Full_Name']), 
"Authentication failed\n"); }
if ( !($Passcodes[ strtolower( $in['Full_Name'] ) ] == 
(strtolower($in['Email']) ) ) )
    { HTMLdie("Incorrect Email " . $in['Email'], "Authentication 
failed\n");}
if ( !($in['Reference'] == "My Secret Password") ){
    HTMLdie("Incorrect Entry", "Authentication failed\n"); }

> Hackers often look for sites like yours they can use to spread their
> spam - because they are typically the least secure due to attitudes
> like yours.

What attitude? I'm just asking specifically how my site is not (at least 
reasonably) secure.

> As I said - your subject line is still open to hacking.

I understand that may be the case if the user is permitted to enter anything 
for the subject line. But that is not the case. My subject line is formed as 
follows:

$subject = "Form data from {$in['Full_Name']}";

I really don't see how anything malicious can be added to that. The 
$in['Full_Name'] variable has been authenticated, and it cannot be anything 
other than the hard coded keys of the $Passcodes array.  I'm trying to 
understand this, and if you could explain how this can be hacked it will be 
very helpful to me and possibly others. Otherwise I think you are just 
making some general assumptions or trying to scare me and other beginners 
away from writing PHP scripts, and possibly paying for your services or 
those of other professionals.

> Others have tried to point you in the right direction, but you seem
> to be uninterested in learning the necessary skills to create a
> secure website.

I am trying to learn those techniques, but without an explanation for how my 
script can be hacked, I don't know how to proceed.

> And it really isn't that hard for hackers to guess userids and
> passwords - even easier if they can intercept your non-secure
> logins.

That may be, but in that case the hacker would only be able to send emails 
to me with garbage or malicious content in the body, and that will have been 
"purified" to acceptable HTML, so I doubt that it will contain anything 
truly dangerous. However, I suppose I should enforce a limit to the size of 
the content.

Paul

Back to comp.lang.php | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-16 00:36 -0700
  Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 10:04 -0400
    Re: My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-16 07:36 -0700
      Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 16:11 -0400
      Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-16 16:25 -0400
        Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 17:40 -0400
          Re: My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-17 10:27 -0700
            Re: My contact form is not emailed to me "MG" <nospam@nospam.com> - 2011-04-17 21:58 +0200
              Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-17 16:39 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-18 22:30 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-18 22:58 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-19 00:33 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-19 06:29 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 13:46 -0400
                Re: My contact form is not emailed to me The Natural Philosopher <tnp@invalid.invalid> - 2011-04-20 18:51 +0100
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 16:41 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 16:59 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 16:55 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 19:58 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 23:44 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 04:04 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 06:29 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 04:31 -0400
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 06:32 -0400
                Re: My contact form is not emailed to me crankypuss <no@email.thanks> - 2011-04-21 04:37 -0600
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 13:42 -0400
                Re: My contact form is not emailed to me "Mr. B-o-B" <mr.chew.baka@gmail.com> - 2011-04-21 15:21 -0500
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 20:04 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-22 00:45 -0400
                Re: My contact form is not emailed to me The Natural Philosopher <tnp@invalid.invalid> - 2011-04-22 11:07 +0100
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-22 07:07 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-22 15:28 -0400
                Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-23 04:32 -0400
                Re: My contact form is not emailed to me "Peter H. Coffin" <hellsop@ninehells.com> - 2011-04-22 08:23 -0500

csiph-web