Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.php > #1120 > unrolled thread

My contact form is not emailed to me

Back to article view | Back to comp.lang.php

Contents

  My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-16 00:36 -0700
    Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 10:04 -0400
      Re: My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-16 07:36 -0700
        Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 16:11 -0400
        Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-16 16:25 -0400
          Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-16 17:40 -0400
            Re: My contact form is not emailed to me nathanir <rajeshn923@gmail.com> - 2011-04-17 10:27 -0700
              Re: My contact form is not emailed to me "MG" <nospam@nospam.com> - 2011-04-17 21:58 +0200
                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-17 16:39 -0400
                  Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-18 22:30 -0400
                    Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-18 22:58 -0400
                      Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-19 00:33 -0400
                        Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-19 06:29 -0400
                          Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 13:46 -0400
                            Re: My contact form is not emailed to me The Natural Philosopher <tnp@invalid.invalid> - 2011-04-20 18:51 +0100
                              Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 16:41 -0400
                                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 16:59 -0400
                            Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 16:55 -0400
                              Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-20 19:58 -0400
                                Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-20 23:44 -0400
                                  Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 04:04 -0400
                                    Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 06:29 -0400
                                  Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 04:31 -0400
                                    Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 06:32 -0400
                                Re: My contact form is not emailed to me crankypuss <no@email.thanks> - 2011-04-21 04:37 -0600
                                  Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-21 13:42 -0400
                                    Re: My contact form is not emailed to me "Mr. B-o-B" <mr.chew.baka@gmail.com> - 2011-04-21 15:21 -0500
                                    Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-21 20:04 -0400
                                      Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-22 00:45 -0400
                                        Re: My contact form is not emailed to me The Natural Philosopher <tnp@invalid.invalid> - 2011-04-22 11:07 +0100
                                        Re: My contact form is not emailed to me Jerry Stuckle <jstucklex@attglobal.net> - 2011-04-22 07:07 -0400
                                          Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-22 15:28 -0400
                                            Re: My contact form is not emailed to me "P E Schoen" <paul@pstech-inc.com> - 2011-04-23 04:32 -0400
                                      Re: My contact form is not emailed to me "Peter H. Coffin" <hellsop@ninehells.com> - 2011-04-22 08:23 -0500

Page 1 of 2  [1] 2  Next page →

#1120 — My contact form is not emailed to me

I have a contact form on my contact page.I can fill in the form and
when I click the submit button, I am redirected to the success page
but I dont receive an email. I did a test with a simple php mail test
form and that works! I have been at it for some time trying to find
the error. Please help
 The relevant code is: (for the contact form)
<form action="process-form.php" method="post" enctype="application/x-
www-form-urlencoded" target="_blank" id="formMail">
      <span id="textNameField">
      <label for="name"></label>
      <input type="text" name="name" id="name" />
      <span class="textfieldRequiredMsg">A value is required.</
span><span class="textfieldMinCharsMsg">Minimum number of characters
not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
number of characters.</span></span><span id="textEmailField"><br />
      <br />
<label for="email"></label>
      <input type="text" name="email" id="email" />
      <span class="textfieldRequiredMsg">A value is required.</
span		      ><span class="textfieldInvalidFormatMsg">Invalid format.</
span><span class="textfieldMinCharsMsg">Minimum number of characters
not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
number of characters.</span></span>
      </p>
      <p>&nbsp;</p>
      <p><span id="SelectionText">
      <label for="select">Purpose</label>
      <select name="select" id="select">
          <option value="Appointment" selected="selected">Appointment</
option>
          <option value="Comment">Comment</option>
          <option value="Question">Question</option>
        </select>
      <span class="selectRequiredMsg">Please select an item.</span></
span></p>
          <p><span id="textinput">
          <textarea name="textinput" id="textinput" cols="45"
rows="5"></textarea>
          <span id="countsprytextarea1">&nbsp;</span><span
class="textareaRequiredMsg">A value is required.</span><span
class="textareaMinCharsMsg">Minimum number of characters not met.</
span><span class="textareaMaxCharsMsg">Exceeded maximum number of
characters.</span></span></p>
          <p>
            <input type="submit" name="submit" id="submit"
value="Submit" />
            <input type="reset" name="reset" id="reset" value="Reset" /
>
          </p>
      <p>&nbsp;</p>
    </form>
the processing php form has this code

<?php
// Pick up the form data and assign it to variables
$name = check_input($_POST['name']);
$email = check_input($_POST['email']);
$select = $_POST['select'];
$textinput = check_input($_POST['textinput']);


// Build the email (replace the address in the $to section with your
own)
$ToEmail = 'rajesh@childsurgeon.com';
$Emailsubject = "New message: $select";
$MESSAGE_BODY = "$name said: $textinput";
$mailheader = "From: $email";

// Send the mail using PHPs mail() function
mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);

// Redirect
header("Location: success.html");

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

[toc] | [next] | [standalone]

#1122

On 4/16/2011 3:36 AM, nathanir wrote:
> I have a contact form on my contact page.I can fill in the form and
> when I click the submit button, I am redirected to the success page
> but I dont receive an email. I did a test with a simple php mail test
> form and that works! I have been at it for some time trying to find
> the error. Please help
>   The relevant code is: (for the contact form)
> <form action="process-form.php" method="post" enctype="application/x-
> www-form-urlencoded" target="_blank" id="formMail">
>        <span id="textNameField">
>        <label for="name"></label>
>        <input type="text" name="name" id="name" />
>        <span class="textfieldRequiredMsg">A value is required.</
> span><span class="textfieldMinCharsMsg">Minimum number of characters
> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
> number of characters.</span></span><span id="textEmailField"><br />
>        <br />
> <label for="email"></label>
>        <input type="text" name="email" id="email" />
>        <span class="textfieldRequiredMsg">A value is required.</
> span		><span class="textfieldInvalidFormatMsg">Invalid format.</
> span><span class="textfieldMinCharsMsg">Minimum number of characters
> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
> number of characters.</span></span>
>        </p>
>        <p>&nbsp;</p>
>        <p><span id="SelectionText">
>        <label for="select">Purpose</label>
>        <select name="select" id="select">
>            <option value="Appointment" selected="selected">Appointment</
> option>
>            <option value="Comment">Comment</option>
>            <option value="Question">Question</option>
>          </select>
>        <span class="selectRequiredMsg">Please select an item.</span></
> span></p>
>            <p><span id="textinput">
>            <textarea name="textinput" id="textinput" cols="45"
> rows="5"></textarea>
>            <span id="countsprytextarea1">&nbsp;</span><span
> class="textareaRequiredMsg">A value is required.</span><span
> class="textareaMinCharsMsg">Minimum number of characters not met.</
> span><span class="textareaMaxCharsMsg">Exceeded maximum number of
> characters.</span></span></p>
>            <p>
>              <input type="submit" name="submit" id="submit"
> value="Submit" />
>              <input type="reset" name="reset" id="reset" value="Reset" /
>>
>            </p>
>        <p>&nbsp;</p>
>      </form>
> the processing php form has this code
>
> <?php
> // Pick up the form data and assign it to variables
> $name = check_input($_POST['name']);
> $email = check_input($_POST['email']);
> $select = $_POST['select'];
> $textinput = check_input($_POST['textinput']);
>
>
> // Build the email (replace the address in the $to section with your
> own)
> $ToEmail = 'rajesh@childsurgeon.com';
> $Emailsubject = "New message: $select";
> $MESSAGE_BODY = "$name said: $textinput";
> $mailheader = "From: $email";
>
> // Send the mail using PHPs mail() function
> mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>
> // Redirect
> header("Location: success.html");
>
> function check_input($data)
> {
>      $data = trim($data);
>      $data = stripslashes($data);
>      $data = htmlspecialchars($data);
>      return $data;
> }
> ?>

Your code is very unsafe and can make your site a spam relay.  Email 
forms are nothing to play with; if you don't know what you're doing, you 
are much better getting something like phpmailer, which has at least has 
some protection built into it.

And why are you using stripslashes() and htmlspecialchars()?

As for why it's failing - there are lots of possibilities.  What does 
mail() return?  Do you have an MTA on your machine (if Linux) or another 
machine (if Windows)?  Does the MTA require a login before sending?

Did you check the data you're using?  i.e. echo the $ToEmail, etc., to 
ensure they have what you expect?  What does your PHP error log show?

There are lots of possibilities here.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1123

On Apr 16, 7:04 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> On 4/16/2011 3:36 AM, nathanir wrote:
>
>
>
> > I have a contact form on my contact page.I can fill in the form and
> > when I click the submit button, I am redirected to the success page
> > but I dont receive an email. I did a test with a simple php mail test
> > form and that works! I have been at it for some time trying to find
> > the error. Please help
> >   The relevant code is: (for the contact form)
> > <form action="process-form.php" method="post" enctype="application/x-
> > www-form-urlencoded" target="_blank" id="formMail">
> >        <span id="textNameField">
> >        <label for="name"></label>
> >        <input type="text" name="name" id="name" />
> >        <span class="textfieldRequiredMsg">A value is required.</
> > span><span class="textfieldMinCharsMsg">Minimum number of characters
> > not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
> > number of characters.</span></span><span id="textEmailField"><br />
> >        <br />
> > <label for="email"></label>
> >        <input type="text" name="email" id="email" />
> >        <span class="textfieldRequiredMsg">A value is required.</
> > span               ><span class="textfieldInvalidFormatMsg">Invalid format.</
> > span><span class="textfieldMinCharsMsg">Minimum number of characters
> > not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
> > number of characters.</span></span>
> >        </p>
> >        <p>&nbsp;</p>
> >        <p><span id="SelectionText">
> >        <label for="select">Purpose</label>
> >        <select name="select" id="select">
> >            <option value="Appointment" selected="selected">Appointment</
> > option>
> >            <option value="Comment">Comment</option>
> >            <option value="Question">Question</option>
> >          </select>
> >        <span class="selectRequiredMsg">Please select an item.</span></
> > span></p>
> >            <p><span id="textinput">
> >            <textarea name="textinput" id="textinput" cols="45"
> > rows="5"></textarea>
> >            <span id="countsprytextarea1">&nbsp;</span><span
> > class="textareaRequiredMsg">A value is required.</span><span
> > class="textareaMinCharsMsg">Minimum number of characters not met.</
> > span><span class="textareaMaxCharsMsg">Exceeded maximum number of
> > characters.</span></span></p>
> >            <p>
> >              <input type="submit" name="submit" id="submit"
> > value="Submit" />
> >              <input type="reset" name="reset" id="reset" value="Reset" /
>
> >            </p>
> >        <p>&nbsp;</p>
> >      </form>
> > the processing php form has this code
>
> > <?php
> > // Pick up the form data and assign it to variables
> > $name = check_input($_POST['name']);
> > $email = check_input($_POST['email']);
> > $select = $_POST['select'];
> > $textinput = check_input($_POST['textinput']);
>
> > // Build the email (replace the address in the $to section with your
> > own)
> > $ToEmail = 'raj...@childsurgeon.com';
> > $Emailsubject = "New message: $select";
> > $MESSAGE_BODY = "$name said: $textinput";
> > $mailheader = "From: $email";
>
> > // Send the mail using PHPs mail() function
> > mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>
> > // Redirect
> > header("Location: success.html");
>
> > function check_input($data)
> > {
> >      $data = trim($data);
> >      $data = stripslashes($data);
> >      $data = htmlspecialchars($data);
> >      return $data;
> > }
> > ?>
>
> Your code is very unsafe and can make your site a spam relay.  Email
> forms are nothing to play with; if you don't know what you're doing, you
> are much better getting something like phpmailer, which has at least has
> some protection built into it.
>
> And why are you using stripslashes() and htmlspecialchars()?
>
> As for why it's failing - there are lots of possibilities.  What does
> mail() return?  Do you have an MTA on your machine (if Linux) or another
> machine (if Windows)?  Does the MTA require a login before sending?
>
> Did you check the data you're using?  i.e. echo the $ToEmail, etc., to
> ensure they have what you expect?  What does your PHP error log show?
>
> There are lots of possibilities here.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================

Thanks Jerry for your reply. Well I am a newbie setting up my first
website in Dreamweaver. Everywhere I turned, I was instructed on how
essential it was to have one contact form. Further research revealed
http://myphpform.com/final-form.php Since I already had my form on my
contact page, I picked up the necessary php script and tested it out.
I obviously goofed and am in deeper water than what I intended to
tread. However if you will point me to the right path, I am more than
willing to learn.
BTW when I tested this script on my webpage it did send out an email
to me. This one also came from the same site.
<?php
mail('rajesh@childsurgeon.com','Test mail','The mail function is
working!');
echo 'Mail sent!';
?>
Rajesh Nathani

[toc] | [prev] | [next] | [standalone]

#1125

On 4/16/2011 10:36 AM, nathanir wrote:
> On Apr 16, 7:04 pm, Jerry Stuckle<jstuck...@attglobal.net>  wrote:
>> On 4/16/2011 3:36 AM, nathanir wrote:
>>
>>
>>
>>> I have a contact form on my contact page.I can fill in the form and
>>> when I click the submit button, I am redirected to the success page
>>> but I dont receive an email. I did a test with a simple php mail test
>>> form and that works! I have been at it for some time trying to find
>>> the error. Please help
>>>    The relevant code is: (for the contact form)
>>> <form action="process-form.php" method="post" enctype="application/x-
>>> www-form-urlencoded" target="_blank" id="formMail">
>>>         <span id="textNameField">
>>>         <label for="name"></label>
>>>         <input type="text" name="name" id="name" />
>>>         <span class="textfieldRequiredMsg">A value is required.</
>>> span><span class="textfieldMinCharsMsg">Minimum number of characters
>>> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
>>> number of characters.</span></span><span id="textEmailField"><br />
>>>         <br />
>>> <label for="email"></label>
>>>         <input type="text" name="email" id="email" />
>>>         <span class="textfieldRequiredMsg">A value is required.</
>>> span><span class="textfieldInvalidFormatMsg">Invalid format.</
>>> span><span class="textfieldMinCharsMsg">Minimum number of characters
>>> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
>>> number of characters.</span></span>
>>>         </p>
>>>         <p>&nbsp;</p>
>>>         <p><span id="SelectionText">
>>>         <label for="select">Purpose</label>
>>>         <select name="select" id="select">
>>>             <option value="Appointment" selected="selected">Appointment</
>>> option>
>>>             <option value="Comment">Comment</option>
>>>             <option value="Question">Question</option>
>>>           </select>
>>>         <span class="selectRequiredMsg">Please select an item.</span></
>>> span></p>
>>>             <p><span id="textinput">
>>>             <textarea name="textinput" id="textinput" cols="45"
>>> rows="5"></textarea>
>>>             <span id="countsprytextarea1">&nbsp;</span><span
>>> class="textareaRequiredMsg">A value is required.</span><span
>>> class="textareaMinCharsMsg">Minimum number of characters not met.</
>>> span><span class="textareaMaxCharsMsg">Exceeded maximum number of
>>> characters.</span></span></p>
>>>             <p>
>>>               <input type="submit" name="submit" id="submit"
>>> value="Submit" />
>>>               <input type="reset" name="reset" id="reset" value="Reset" /
>>
>>>             </p>
>>>         <p>&nbsp;</p>
>>>       </form>
>>> the processing php form has this code
>>
>>> <?php
>>> // Pick up the form data and assign it to variables
>>> $name = check_input($_POST['name']);
>>> $email = check_input($_POST['email']);
>>> $select = $_POST['select'];
>>> $textinput = check_input($_POST['textinput']);
>>
>>> // Build the email (replace the address in the $to section with your
>>> own)
>>> $ToEmail = 'raj...@childsurgeon.com';
>>> $Emailsubject = "New message: $select";
>>> $MESSAGE_BODY = "$name said: $textinput";
>>> $mailheader = "From: $email";
>>
>>> // Send the mail using PHPs mail() function
>>> mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>>
>>> // Redirect
>>> header("Location: success.html");
>>
>>> function check_input($data)
>>> {
>>>       $data = trim($data);
>>>       $data = stripslashes($data);
>>>       $data = htmlspecialchars($data);
>>>       return $data;
>>> }
>>> ?>
>>
>> Your code is very unsafe and can make your site a spam relay.  Email
>> forms are nothing to play with; if you don't know what you're doing, you
>> are much better getting something like phpmailer, which has at least has
>> some protection built into it.
>>
>> And why are you using stripslashes() and htmlspecialchars()?
>>
>> As for why it's failing - there are lots of possibilities.  What does
>> mail() return?  Do you have an MTA on your machine (if Linux) or another
>> machine (if Windows)?  Does the MTA require a login before sending?
>>
>> Did you check the data you're using?  i.e. echo the $ToEmail, etc., to
>> ensure they have what you expect?  What does your PHP error log show?
>>
>> There are lots of possibilities here.
>>
> Thanks Jerry for your reply. Well I am a newbie setting up my first
> website in Dreamweaver. Everywhere I turned, I was instructed on how
> essential it was to have one contact form. Further research revealed
> http://myphpform.com/final-form.php Since I already had my form on my
> contact page, I picked up the necessary php script and tested it out.
> I obviously goofed and am in deeper water than what I intended to
> tread. However if you will point me to the right path, I am more than
> willing to learn.
> BTW when I tested this script on my webpage it did send out an email
> to me. This one also came from the same site.
> <?php
> mail('rajesh@childsurgeon.com','Test mail','The mail function is
> working!');
> echo 'Mail sent!';
> ?>
> Rajesh Nathani

Your PHP script is not secure.  Before putting a contact forum up on 
your site, you really need to understand a lot about security - 
otherwise you will quickly become a spam relay and your host will 
probably cancel your account (at least a good one will).

And just picking a script when you don't know what you're doing is just 
asking for trouble - as in your case.

If you want a good secure contact form, I would suggest you read up on 
security and learn how to properly secure your site.

In the meantime, did you do the things I suggested in my previous reply?

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1126

"nathanir"  wrote in message 
news:c6e55a71-4746-4038-b6da-c5e7efb2a6b0@a11g2000pro.googlegroups.com...

> > // Pick up the form data and assign it to variables
> > $name = check_input($_POST['name']);
> > $email = check_input($_POST['email']);
> > $select = $_POST['select'];
> > $textinput = check_input($_POST['textinput']);
>
> > // Build the email (replace the address in the $to section with your
> > own)
> > $ToEmail = 'raj...@childsurgeon.com';
> > $Emailsubject = "New message: $select";
> > $MESSAGE_BODY = "$name said: $textinput";
> > $mailheader = "From: $email";
>
> > // Send the mail using PHPs mail() function
> > mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);

> BTW when I tested this script on my webpage it did send out an email
> to me. This one also came from the same site.

  <?php
  mail('rajesh@childsurgeon.com','Test mail','The mail function is
  working!');
  echo 'Mail sent!';
  ?>

I'm not an expert but I do have a similar setup that works, with an HTML 
form and a PHP script which sends a confirmation email to myself. I don't 
see what's wrong, but some suggestions to try are:

Incorporate a logfile which contains the values of variables such as 
$ToEmail, $select, etc.

It may be best to use "selected" as the variable name rather than the 
element name "select".

Then you can use the actual variables for your direct test email function. 
Also, as Jerry said, check the error logs on the server. And hopefully you 
are doing this on a localhost and not yet as a "live" application. It also 
should have some security measures, such as a password and a time delay to 
thwart DoS attacks such as a barrage of calls to the PHP script thousands of 
times per second.

Maybe the experts can help, or even better you may try some things and learn 
a lot with eventual success. Good luck.

Paul 

[toc] | [prev] | [next] | [standalone]

#1128

On 4/16/2011 4:25 PM, P E Schoen wrote:
> "nathanir" wrote in message
> news:c6e55a71-4746-4038-b6da-c5e7efb2a6b0@a11g2000pro.googlegroups.com...
>
>> > // Pick up the form data and assign it to variables
>> > $name = check_input($_POST['name']);
>> > $email = check_input($_POST['email']);
>> > $select = $_POST['select'];
>> > $textinput = check_input($_POST['textinput']);
>>
>> > // Build the email (replace the address in the $to section with your
>> > own)
>> > $ToEmail = 'raj...@childsurgeon.com';
>> > $Emailsubject = "New message: $select";
>> > $MESSAGE_BODY = "$name said: $textinput";
>> > $mailheader = "From: $email";
>>
>> > // Send the mail using PHPs mail() function
>> > mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>
>> BTW when I tested this script on my webpage it did send out an email
>> to me. This one also came from the same site.
>
> <?php
> mail('rajesh@childsurgeon.com','Test mail','The mail function is
> working!');
> echo 'Mail sent!';
> ?>
>
> I'm not an expert but I do have a similar setup that works, with an HTML
> form and a PHP script which sends a confirmation email to myself. I
> don't see what's wrong, but some suggestions to try are:
>
> Incorporate a logfile which contains the values of variables such as
> $ToEmail, $select, etc.
>
> It may be best to use "selected" as the variable name rather than the
> element name "select".
>
> Then you can use the actual variables for your direct test email
> function. Also, as Jerry said, check the error logs on the server. And
> hopefully you are doing this on a localhost and not yet as a "live"
> application. It also should have some security measures, such as a
> password and a time delay to thwart DoS attacks such as a barrage of
> calls to the PHP script thousands of times per second.
>
> Maybe the experts can help, or even better you may try some things and
> learn a lot with eventual success. Good luck.
>
> Paul

I hope your script is much more secure than Nathan's.  Poorly written 
script by people who don't understand security are a major problem in PHP.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1135

Thanks Jerry and Paul,
You are right - I do not understand php and am now trying to learn it
in a structured manner through the many tutorials available on the
web. I thought I could learn whatever I needed on the fly - on an as
needed basis but that does not seem to be the way to go. As I
mentioned in my earlier post I checked the testmail.php file and that
seemed to work fine.
If you will be kind enough to suggest what you think are good sites to
learn from then I will appreciate any links.
Thanks once again,
Rajesh

[toc] | [prev] | [next] | [standalone]

#1136

> seemed to work fine.
> If you will be kind enough to suggest what you think are good sites to
> learn from then I will appreciate any links.
> Thanks once again,

This one is worth reading
http://www.damonkohler.com/2008/12/email-injection.html

MG 

[toc] | [prev] | [next] | [standalone]

#1137

On 4/17/2011 3:58 PM, MG wrote:
>> seemed to work fine.
>> If you will be kind enough to suggest what you think are good sites to
>> learn from then I will appreciate any links.
>> Thanks once again,
>
> This one is worth reading
> http://www.damonkohler.com/2008/12/email-injection.html
>
> MG
>
>

Some good descriptions on how it can happen.  But one needs to read the 
comments at the end, also - there are several problems with his proposed 
solutions.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1184

"Jerry Stuckle"  wrote in message news:iofj5t$7gi$1@dont-email.me...

> On 4/17/2011 3:58 PM, MG wrote:

>> This one is worth reading
>> http://www.damonkohler.com/2008/12/email-injection.html

> Some good descriptions on how it can happen.  But one needs to
> read the comments at the end, also - there are several problems
> with his proposed solutions.

I found the article very interesting. As a "casual" newbie user of PHP I 
don't fully understand all the issues, but I can see that it can be a real 
problem if a hacker really wants to make trouble. My application requires a 
user to provide a name and email address from a hard-coded list, and also a 
password, before data can be entered. If that is successful, I set a file 
lock which blocks any subsequent attempts to access the script, and I add a 
deliberate 5 or 10 second delay before completing the processing and 
releasing the file lock.

I also run the user input through a filter: http://htmlpurifier.org/ which 
seems to work pretty well. I suppose nothing is totally secure, but this is 
designed for only a small group of trusted members, and is not really used 
very much. In fact, the only ones to have used it over the last several 
months have been myself (for testing), and one or two members as they were 
learning how to use it.

Paul 

[toc] | [prev] | [next] | [standalone]

#1186

On 4/18/2011 10:30 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:iofj5t$7gi$1@dont-email.me...
>
>> On 4/17/2011 3:58 PM, MG wrote:
>
>>> This one is worth reading
>>> http://www.damonkohler.com/2008/12/email-injection.html
>
>> Some good descriptions on how it can happen. But one needs to
>> read the comments at the end, also - there are several problems
>> with his proposed solutions.
>
> I found the article very interesting. As a "casual" newbie user of PHP I
> don't fully understand all the issues, but I can see that it can be a
> real problem if a hacker really wants to make trouble. My application
> requires a user to provide a name and email address from a hard-coded
> list, and also a password, before data can be entered. If that is
> successful, I set a file lock which blocks any subsequent attempts to
> access the script, and I add a deliberate 5 or 10 second delay before
> completing the processing and releasing the file lock.
>
> I also run the user input through a filter: http://htmlpurifier.org/
> which seems to work pretty well. I suppose nothing is totally secure,
> but this is designed for only a small group of trusted members, and is
> not really used very much. In fact, the only ones to have used it over
> the last several months have been myself (for testing), and one or two
> members as they were learning how to use it.
>
> Paul

Just remember - never trust ANYTHING from the user.  You may have email 
addresses hardcoded into your forum.  But there is NOTHING which says 
the request has to come from YOUR form.  They can make up any form they 
want and send whatever data they want to your page.

And I don't use htmlpurifier, but I would be very surprised if they were 
to take out stuff which could be used to make your site a spam relay. 
After all, things like newline characters are quite valid input values. 
  It's how they are used which makes a difference.  And htmlpurifier 
doesn't know how you're going to use it.

And finally - "only a small group of trusted members" is one of the most 
famous lines used by people who got their website hacked.  That may be 
your intent.  But hackers are good at getting around restrictions, 
especially if you're not sure of what you're doing.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1190

"Jerry Stuckle"  wrote in message news:ioito7$1r5$1@dont-email.me...

> Just remember - never trust ANYTHING from the user.  You may have
> email addresses hardcoded into your forum.  But there is NOTHING
> which says the request has to come from YOUR form.  They can make
> up any form they want and send whatever data they want to your page.

I realize that, but the authorized names and emails are hard coded in the 
PHP script which is invoked from the HTML form using POST variables. Of 
course, a hacker could figure that out and use his own form to try to access 
the script for mass emailing or whatever, but he would not get past the 
authentication without somehow knowing the names and addresses, and then 
also the password.

> And I don't use htmlpurifier, but I would be very surprised if they
> were to take out stuff which could be used to make your site a spam
> relay. After all, things like newline characters are quite valid input
> values. It's how they are used which makes a difference.  And
> htmlpurifier doesn't know how you're going to use it.

The headers are pretty much hard-coded as well, except for including the 
name and email address of the user in the subject. Since they both must pass 
strict authentication, additional malevolent headers cannot be injected 
there. Everything else is formatted in the body of the message, which is 
passed through the purifier.

> And finally - "only a small group of trusted members" is one of the
> most famous lines used by people who got their website hacked.
> That may be your intent.  But hackers are good at getting around
> restrictions, especially if you're not sure of what you're doing.

I freely admit to not knowing all (or even most) of the "gotchas", but 
without lots of experience or extensive study of the subject, I don't know 
how to determine if what I have is "safe". I could probably submit the code 
to someone like you (probably for a fee), to review the code and fix the 
security leaks, or maybe I could find a benevolent hacker to attempt to hack 
the site.

What would be really useful would be a sort of "verifier" that would perform 
the usual attempts and then report on the degree of vulnerability. Is such a 
service available? I think it would be worth even a moderate "pay per view" 
of a dollar or two to obtain such a security risk report. I know that I 
would make good use of it, and it would also be helpful to the OP. My own 
site is being built on a volunteer basis for a non-profit organization 
(Sierra Club Greater Baltimore Group), so our funds are limited. I am 
actually hosting their site on my own server, because the portion of the 
National site that I am authorized to access does not have CGI capability.

Thanks,

Paul 

[toc] | [prev] | [next] | [standalone]

#1198

On 4/19/2011 12:33 AM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioito7$1r5$1@dont-email.me...
>
>> Just remember - never trust ANYTHING from the user. You may have
>> email addresses hardcoded into your forum. But there is NOTHING
>> which says the request has to come from YOUR form. They can make
>> up any form they want and send whatever data they want to your page.
>
> I realize that, but the authorized names and emails are hard coded in
> the PHP script which is invoked from the HTML form using POST variables.
> Of course, a hacker could figure that out and use his own form to try to
> access the script for mass emailing or whatever, but he would not get
> past the authentication without somehow knowing the names and addresses,
> and then also the password.
>

Which isn't that hard if you aren't using secure socket layer (https:...).

>> And I don't use htmlpurifier, but I would be very surprised if they
>> were to take out stuff which could be used to make your site a spam
>> relay. After all, things like newline characters are quite valid input
>> values. It's how they are used which makes a difference. And
>> htmlpurifier doesn't know how you're going to use it.
>
> The headers are pretty much hard-coded as well, except for including the
> name and email address of the user in the subject. Since they both must
> pass strict authentication, additional malevolent headers cannot be
> injected there. Everything else is formatted in the body of the message,
> which is passed through the purifier.
>

But the subject and from headers are NOT being properly authenticated in 
the code you posted earlier.

>> And finally - "only a small group of trusted members" is one of the
>> most famous lines used by people who got their website hacked.
>> That may be your intent. But hackers are good at getting around
>> restrictions, especially if you're not sure of what you're doing.
>
> I freely admit to not knowing all (or even most) of the "gotchas", but
> without lots of experience or extensive study of the subject, I don't
> know how to determine if what I have is "safe". I could probably submit
> the code to someone like you (probably for a fee), to review the code
> and fix the security leaks, or maybe I could find a benevolent hacker to
> attempt to hack the site.
>

That's where you need to study and learn.  It isn't that hard, but it 
does take some studying.

Sure, you can hire someone to check your code - but you'll be much 
better off reading and learning on your own so you can write secure code.

Coding publicly available websites isn't that hard - but it does take 
care to ensure they are secure.

> What would be really useful would be a sort of "verifier" that would
> perform the usual attempts and then report on the degree of
> vulnerability. Is such a service available? I think it would be worth
> even a moderate "pay per view" of a dollar or two to obtain such a
> security risk report. I know that I would make good use of it, and it
> would also be helpful to the OP. My own site is being built on a
> volunteer basis for a non-profit organization (Sierra Club Greater
> Baltimore Group), so our funds are limited. I am actually hosting their
> site on my own server, because the portion of the National site that I
> am authorized to access does not have CGI capability.
>
> Thanks,
>
> Paul

There are way too many ways a hacker can get in for a verifier to try to 
hack your site.  And hackers come up with new ways every day.  It would 
be even harder to keep up with ways of hacking sites than it is for 
antivirus manufacturers to keep ahead of virus makers.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1240

"Jerry Stuckle"  wrote in message news:iojo5j$jpo$1@dont-email.me...

On 4/19/2011 12:33 AM, P E Schoen wrote:

>> I realize that, but the authorized names and emails are hard coded in
>> the PHP script which is invoked from the HTML form using POST
>> variables. Of course, a hacker could figure that out and use his own
>> form to try to access the script for mass emailing or whatever, but he
>> would not get past the authentication without somehow knowing the
>> names and addresses, and then also the password.

> Which isn't that hard if you aren't using secure socket layer (https:...).

The only way I understand would be possible to do this is by listening to 
the data over the network and identifying the CGI variables with that 
information. I suppose that is possible if someone was using a public 
network to access the PHP script. But I doubt that a hacker would want to 
put in that much effort. The content is being used for public announcements 
anyway, so the data is not sensitive.

>> The headers are pretty much hard-coded as well, except for including
>> the name and email address of the user in the subject. Since they both
>> must pass strict authentication, additional malevolent headers cannot
>> be injected there. Everything else is formatted in the body of the
>> message, which is passed through the purifier.

> But the subject and from headers are NOT being properly authenticated
> in the code you posted earlier.

The subject and from headers are as follows:

    $subject = "Form data from {$in['Full_Name']}";
    //This has been validated from a hard-coded list
    $sender = "paul@example.com";
    $recipient= 'paul@example.com' ;
    mail( $recipient, $subject, $message, "From: $sender" );

I see that I have used my email address for both the sender and recipient. 
I'm not really sure why I did that, but IIRC I was having problems and I 
thought it was because the email was actually sent from my server's email 
function and the sender had to match. So the subject is actually used to 
indicate who had used the entry form.

> That's where you need to study and learn.  It isn't that hard,
> but it does take some studying.

Yes, if this were a major part of what I do, then I'd have to do that. But I 
have found that the people who submit activity listings do not even try to 
make use of this, so I will probably just have to maintain the website 
manually. It may be helpful to me to use this system, but otherwise it has 
become mostly a learning experience, and that just in a small way. Most of 
my time is spent on electronic engineering, PIC code, and Windows 
application programming. And also checking out newsgroups such as this for 
interesting discussions.

> Sure, you can hire someone to check your code - but you'll be
> much better off reading and learning on your own so you can
> write secure code.

> Coding publicly available websites isn't that hard - but it does
> take care to ensure they are secure.

> There are way too many ways a hacker can get in for a verifier to
> try to hack your site.  And hackers come up with new ways every
> day.  It would be even harder to keep up with ways of hacking
> sites than it is for antivirus manufacturers to keep ahead of
> virus makers.

I can see that, but maybe there are some common attack modes that could be 
attempted to see how vulnerable a site may be. Even if it required human 
interaction, at would be a valuable service that I would be willing to pay 
for. It's difficult for a beginner with limited time and motivation to learn 
all the methods of attack and the usual ways to reduce vulnerability.

Perhaps you could provide a link to the PHP code for a secure form mailing 
application?

Thanks,

Paul 

[toc] | [prev] | [next] | [standalone]

#1241

P E Schoen wrote:
> "Jerry Stuckle"  wrote in message news:iojo5j$jpo$1@dont-email.me...
> 
> On 4/19/2011 12:33 AM, P E Schoen wrote:
> 
>>> I realize that, but the authorized names and emails are hard coded in
>>> the PHP script which is invoked from the HTML form using POST
>>> variables. Of course, a hacker could figure that out and use his own
>>> form to try to access the script for mass emailing or whatever, but he
>>> would not get past the authentication without somehow knowing the
>>> names and addresses, and then also the password.
> 
>> Which isn't that hard if you aren't using secure socket layer 
>> (https:...).
> 
> The only way I understand would be possible to do this is by listening 
> to the data over the network and identifying the CGI variables with that 
> information. I suppose that is possible if someone was using a public 
> network to access the PHP script. But I doubt that a hacker would want 
> to put in that much effort. The content is being used for public 
> announcements anyway, so the data is not sensitive.

It is JUST possible if you are using weakly encrypted WiFi.

In practice, there are far easier ways to hack than trying to compromise 
ISP and backbone routers.

[toc] | [prev] | [next] | [standalone]

#1242

"The Natural Philosopher"  wrote in message 
news:ion6ej$jhv$1@news.albasani.net...

> P E Schoen wrote:

>> The only way I understand would be possible to do this is by listening to 
>> the data over the network and identifying the CGI variables with
>> that information. I suppose that is possible if someone was using a
>> public network to access the PHP script. But I doubt that a hacker
>> would want to put in that much effort. The content is being used for
>> public announcements anyway, so the data is not sensitive.

> It is JUST possible if you are using weakly encrypted WiFi.

> In practice, there are far easier ways to hack than trying to
> compromise ISP and backbone routers.

My WiFi is password protected so I'm not worried about that. But the user 
may be at any place where internet access can be had, and the CGI variables 
would be posted from there to my remote server. I don't think that will be a 
problem. It may be more likely that someone would observe the user entering 
the information and remember the keystrokes for the password. But I really 
don't know all that much about TCP/IP and HTTP and networks in general.

Thanks,

Paul 

[toc] | [prev] | [next] | [standalone]

#1244

On 4/20/2011 4:41 PM, P E Schoen wrote:
> "The Natural Philosopher" wrote in message
> news:ion6ej$jhv$1@news.albasani.net...
>
>> P E Schoen wrote:
>
>>> The only way I understand would be possible to do this is by
>>> listening to the data over the network and identifying the CGI
>>> variables with
>>> that information. I suppose that is possible if someone was using a
>>> public network to access the PHP script. But I doubt that a hacker
>>> would want to put in that much effort. The content is being used for
>>> public announcements anyway, so the data is not sensitive.
>
>> It is JUST possible if you are using weakly encrypted WiFi.
>
>> In practice, there are far easier ways to hack than trying to
>> compromise ISP and backbone routers.
>
> My WiFi is password protected so I'm not worried about that. But the
> user may be at any place where internet access can be had, and the CGI
> variables would be posted from there to my remote server. I don't think
> that will be a problem. It may be more likely that someone would observe
> the user entering the information and remember the keystrokes for the
> password. But I really don't know all that much about TCP/IP and HTTP
> and networks in general.
>
> Thanks,
>
> Paul

If you're using WEP, it's not very protected.  That can be broken with a 
laptop in less than a day.

And they don't have to know a lot - by just looking at the source code 
for your page they can tell what's being sent - and get clues on how to 
break it.

Insecure passwords is one of the easiest and most common ways to hack a 
site - but trying to get users to create passwords is a lost cause.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1243

On 4/20/2011 1:46 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:iojo5j$jpo$1@dont-email.me...
>
> On 4/19/2011 12:33 AM, P E Schoen wrote:
>
>>> I realize that, but the authorized names and emails are hard coded in
>>> the PHP script which is invoked from the HTML form using POST
>>> variables. Of course, a hacker could figure that out and use his own
>>> form to try to access the script for mass emailing or whatever, but he
>>> would not get past the authentication without somehow knowing the
>>> names and addresses, and then also the password.
>
>> Which isn't that hard if you aren't using secure socket layer
>> (https:...).
>
> The only way I understand would be possible to do this is by listening
> to the data over the network and identifying the CGI variables with that
> information. I suppose that is possible if someone was using a public
> network to access the PHP script. But I doubt that a hacker would want
> to put in that much effort. The content is being used for public
> announcements anyway, so the data is not sensitive.
>

Which can be done a number of ways by a sniffer.  You just have to be in 
the right place.

For instance, it's not well publicized but in many residential locations 
with cable, everyone in an neighborhood is on the same cable - and can 
see each others traffic with the right software.

>>> The headers are pretty much hard-coded as well, except for including
>>> the name and email address of the user in the subject. Since they both
>>> must pass strict authentication, additional malevolent headers cannot
>>> be injected there. Everything else is formatted in the body of the
>>> message, which is passed through the purifier.
>
>> But the subject and from headers are NOT being properly authenticated
>> in the code you posted earlier.
>
> The subject and from headers are as follows:
>
> $subject = "Form data from {$in['Full_Name']}";
> //This has been validated from a hard-coded list
> $sender = "paul@example.com";
> $recipient= 'paul@example.com' ;
> mail( $recipient, $subject, $message, "From: $sender" );
>
> I see that I have used my email address for both the sender and
> recipient. I'm not really sure why I did that, but IIRC I was having
> problems and I thought it was because the email was actually sent from
> my server's email function and the sender had to match. So the subject
> is actually used to indicate who had used the entry form.
>

But your subject can still be a source of injection.

>> That's where you need to study and learn. It isn't that hard,
>> but it does take some studying.
>
> Yes, if this were a major part of what I do, then I'd have to do that.
> But I have found that the people who submit activity listings do not
> even try to make use of this, so I will probably just have to maintain
> the website manually. It may be helpful to me to use this system, but
> otherwise it has become mostly a learning experience, and that just in a
> small way. Most of my time is spent on electronic engineering, PIC code,
> and Windows application programming. And also checking out newsgroups
> such as this for interesting discussions.
>

There is no excuse for writing insecure code, especially when it's in 
the internet.  How will your client feel if their ip gets blacklisted - 
and even worse, their host cancels their account?  It does happen, and 
it's serious.

>> Sure, you can hire someone to check your code - but you'll be
>> much better off reading and learning on your own so you can
>> write secure code.
>
>> Coding publicly available websites isn't that hard - but it does
>> take care to ensure they are secure.
>
>> There are way too many ways a hacker can get in for a verifier to
>> try to hack your site. And hackers come up with new ways every
>> day. It would be even harder to keep up with ways of hacking
>> sites than it is for antivirus manufacturers to keep ahead of
>> virus makers.
>
> I can see that, but maybe there are some common attack modes that could
> be attempted to see how vulnerable a site may be. Even if it required
> human interaction, at would be a valuable service that I would be
> willing to pay for. It's difficult for a beginner with limited time and
> motivation to learn all the methods of attack and the usual ways to
> reduce vulnerability.
>

An understanding of security concerns and care when programming will do 
that much better than a verifier will.

> Perhaps you could provide a link to the PHP code for a secure form
> mailing application?
>

Sorry, I write my own.  I don't use much packaged software.

> Thanks,
>
> Paul


-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

#1247

"Jerry Stuckle"  wrote in message news:ionh8d$qbc$1@dont-email.me...

> On 4/20/2011 1:46 PM, P E Schoen wrote:

>> The only way I understand would be possible to do this is by listening
>> to the data over the network and identifying the CGI variables with
>> that information.

> Which can be done a number of ways by a sniffer.  You just have to
> be in the right place.

> For instance, it's not well publicized but in many residential locations 
> with cable, everyone in an neighborhood is on the same cable - and
> can see each others traffic with the right software.

I have FIOS and a WiFi router, but I have no control over what potential 
users may have. However, I still don't think anyone would be that much 
interested in hacking this site. And I would assume that the only damage 
could be the use of the emailer for spam, but that seems very unlikely, and 
I don't think it even can be done using my script.

>> The subject and from headers are as follows:
>
>> $subject = "Form data from {$in['Full_Name']}";
>> //This has been validated from a hard-coded list
>> $sender = "paul@example.com";
>> $recipient= 'paul@example.com' ;
>> mail( $recipient, $subject, $message, "From: $sender" );

> But your subject can still be a source of injection.

I cannot see how that is possible. The authorization code at the front end 
requires the $in['Full_Name'] to be one of the authorized names hard-coded 
in an array. If it contains anything else, the script dies. So I can't see 
how anyone could inject anything malevolent.

> There is no excuse for writing insecure code, especially when it's
> in the internet.  How will your client feel if their ip gets blacklisted - 
> and even worse, their host cancels their account?  It does happen,
> and it's serious.

My "client" is just a small group of volunteers who may want to post notices 
of events to be available from the group's website. I am only using the 
Sierra Club National site to have a placeholder HTML page which redirects to 
the site I am hosting for them on my Dreamhost account. AFAIK, the email 
function resides on the dreamhost, and any emails sent would be my 
responsibility.

Also, AIUI, the potential users of the site will only receive the HTML form 
on their local machine, and then the PHP script is accessed by means of 
POST. The user will receive an echo which either shows "Authentication 
Failed", or a formatted HTML page with the submitted information. The form 
itself also has a button which will allow the user to see the results of the 
EventProcessor script, which will have entered the information into a 
database and then produced updated web pages for past and current events or 
outings.

> An understanding of security concerns and care when programming
> will do that much better than a verifier will.

I understand a little more after reading 
http://www.damonkohler.com/2008/12/email-injection.html, and I think my code 
is secure against the attempts described there. If not, then I am missing 
something and I would appreciate an example that would prove it to be unsafe 
from attack.

>> Perhaps you could provide a link to the PHP code for a secure form
>> mailing application?

> Sorry, I write my own.  I don't use much packaged software.

Then it would be very helpful for casual users and beginners if you could 
provide at least some of the code you have created with a high level of 
security. But I also realize that perhaps that would reveal clues to a 
potential hacker. I would like to know more about vulnerabilities and safe 
coding practices, but at this point I just don't know how my site could be 
hacked unless someone gained access to authentication information, or was 
able to obtain the password for my website and upload malicious code or 
trash the files.

Thanks,

Paul

[toc] | [prev] | [next] | [standalone]

#1248

On 4/20/2011 7:58 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ionh8d$qbc$1@dont-email.me...
>
>> On 4/20/2011 1:46 PM, P E Schoen wrote:
>
>>> The only way I understand would be possible to do this is by listening
>>> to the data over the network and identifying the CGI variables with
>>> that information.
>
>> Which can be done a number of ways by a sniffer. You just have to
>> be in the right place.
>
>> For instance, it's not well publicized but in many residential
>> locations with cable, everyone in an neighborhood is on the same cable
>> - and
>> can see each others traffic with the right software.
>
> I have FIOS and a WiFi router, but I have no control over what potential
> users may have. However, I still don't think anyone would be that much
> interested in hacking this site. And I would assume that the only damage
> could be the use of the emailer for spam, but that seems very unlikely,
> and I don't think it even can be done using my script.
>

Famous last words by people who's sites got hacked.

>>> The subject and from headers are as follows:
>>
>>> $subject = "Form data from {$in['Full_Name']}";
>>> //This has been validated from a hard-coded list
>>> $sender = "paul@example.com";
>>> $recipient= 'paul@example.com' ;
>>> mail( $recipient, $subject, $message, "From: $sender" );
>
>> But your subject can still be a source of injection.
>
> I cannot see how that is possible. The authorization code at the front
> end requires the $in['Full_Name'] to be one of the authorized names
> hard-coded in an array. If it contains anything else, the script dies.
> So I can't see how anyone could inject anything malevolent.
>

Subject does not require an "authorized name".  It an easily be used for 
injection.

>> There is no excuse for writing insecure code, especially when it's
>> in the internet. How will your client feel if their ip gets
>> blacklisted - and even worse, their host cancels their account? It
>> does happen,
>> and it's serious.
>
> My "client" is just a small group of volunteers who may want to post
> notices of events to be available from the group's website. I am only
> using the Sierra Club National site to have a placeholder HTML page
> which redirects to the site I am hosting for them on my Dreamhost
> account. AFAIK, the email function resides on the dreamhost, and any
> emails sent would be my responsibility.
>

Which makes no difference.  Hackers often look for sites like yours they 
can use to spread their spam - because they are typically the least 
secure due to attitudes like yours.

> Also, AIUI, the potential users of the site will only receive the HTML
> form on their local machine, and then the PHP script is accessed by
> means of POST. The user will receive an echo which either shows
> "Authentication Failed", or a formatted HTML page with the submitted
> information. The form itself also has a button which will allow the user
> to see the results of the EventProcessor script, which will have entered
> the information into a database and then produced updated web pages for
> past and current events or outings.
>

Not a problem for hackers - who use scripts to do all kinds of things.

>> An understanding of security concerns and care when programming
>> will do that much better than a verifier will.
>
> I understand a little more after reading
> http://www.damonkohler.com/2008/12/email-injection.html, and I think my
> code is secure against the attempts described there. If not, then I am
> missing something and I would appreciate an example that would prove it
> to be unsafe from attack.
>

As I said - your subject line is still open to hacking.

>>> Perhaps you could provide a link to the PHP code for a secure form
>>> mailing application?
>
>> Sorry, I write my own. I don't use much packaged software.
>
> Then it would be very helpful for casual users and beginners if you
> could provide at least some of the code you have created with a high
> level of security. But I also realize that perhaps that would reveal
> clues to a potential hacker. I would like to know more about
> vulnerabilities and safe coding practices, but at this point I just
> don't know how my site could be hacked unless someone gained access to
> authentication information, or was able to obtain the password for my
> website and upload malicious code or trash the files.
>

Others have tried to point you in the right direction, but you seem to 
be uninterested in learning the necessary skills to create a secure website.

And it really isn't that hard for hackers to guess userids and passwords 
- even easier if they can intercept your non-secure logins.

> Thanks,
>
> Paul
>


-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[toc] | [prev] | [next] | [standalone]

Page 1 of 2  [1] 2  Next page →

Back to top | Article view | comp.lang.php

csiph-web