Spamproofing a send mail script
This is a discussion on Spamproofing a send mail script within the PHP Language forums, part of the PHP Programming Forums category; Hi, I've a script that sends mail from my site. I've included a regexp which should return 403 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-01-2007
|
|||
|
|||
Spamproofing a send mail script
Hi,
I've a script that sends mail from my site. I've included a regexp which should return 403 forbidden if you try to hijack it and send to another address. How can I test to make sure it works? E.g. can I try to spoof it to send mail to my other e-mail address? Thanks for your help. The script is: <?php $mailto = 'dvh@example.com' ; $subject = "newsletter signup" ; $formurl = "http://www.example.com/index.html" ; $errorurl = "http://www.example.com/signuperror.html" ; $thankyouurl = "http://www.example.com/signed.html" ; $uself = 0; $headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ; $name = $_POST['name'] ; $email = $_POST['email'] ; $comments = $_POST['comments'] ; $http_referrer = getenv( "HTTP_REFERER" ); if (!isset($_POST['email'])) { header( "Location: $formurl" ); exit ; } if (empty($name) || empty($email) || empty($comments)) { header( "Location: $errorurl" ); exit ; } if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) { header( "Location: $errorurl" ); exit ; } if (get_magic_quotes_gpc()) { $comments = stripslashes( $comments ); } if (!eregi('^[-A-Za-z0-9_]+@(example.com)$', $mailto)) { header('HTTP/1.0 403 Forbidden'); die('Access denied.'); } $messageproper = "This message was sent from:\n" . "$http_referrer\n" . "------------------------------------------------------------\n" . "Name of sender: $name\n" . "Email of sender: $email\n" . "------------------------- COMMENTS -------------------------\n\n" . $comments . "\n\n------------------------------------------------------------\n" ; mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" . $headersep . "X-Mailer: chfeedback.php 2.08" ); header( "Location: $thankyouurl" ); exit ; ?> 
|
|
11-01-2007
|
|||
|
|||
|
Re: Spamproofing a send mail script
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 DVH wrote: > Hi, > > I've a script that sends mail from my site. > > I've included a regexp which should return 403 forbidden if you try to > hijack it and send to another address. > > How can I test to make sure it works? E.g. can I try to spoof it to send > mail to my other e-mail address? > > Thanks for your help. > > The script is: > > <?php > > > $mailto = 'dvh@example.com' ; > > > $subject = "newsletter signup" ; > > $formurl = "http://www.example.com/index.html" ; > $errorurl = "http://www.example.com/signuperror.html" ; > $thankyouurl = "http://www.example.com/signed.html" ; > > $uself = 0; > > $headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ; > $name = $_POST['name'] ; > $email = $_POST['email'] ; > $comments = $_POST['comments'] ; > $http_referrer = getenv( "HTTP_REFERER" ); > > if (!isset($_POST['email'])) { > header( "Location: $formurl" ); > exit ; > } > if (empty($name) || empty($email) || empty($comments)) { > header( "Location: $errorurl" ); > exit ; > } > if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) { > header( "Location: $errorurl" ); > exit ; > } > > if (get_magic_quotes_gpc()) { > $comments = stripslashes( $comments ); > } > > if (!eregi('^[-A-Za-z0-9_]+@(example.com)$', $mailto)) { > header('HTTP/1.0 403 Forbidden'); > die('Access denied.'); > } > > > $messageproper = > > "This message was sent from:\n" . > "$http_referrer\n" . > "------------------------------------------------------------\n" . > "Name of sender: $name\n" . > "Email of sender: $email\n" . > "------------------------- COMMENTS -------------------------\n\n" . > $comments . > "\n\n------------------------------------------------------------\n" ; > > mail($mailto, $subject, $messageproper, > "From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" . > $headersep . "X-Mailer: > > chfeedback.php 2.08" ); > header( "Location: $thankyouurl" ); > exit ; > > ?> > > You _must_ check for newlines in form to e-mail scripts. If not, a malicious user can add their own headers. - -- Brendan Gillatt brendan {at} brendangillatt {dot} co {dot} uk http://www.brendangillatt.co.uk PGP Key: http://pgp.mit.edu:11371/pks/lookup?...rch=0xBACD7433 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFHKieokA9dCbrNdDMRAkxRAKDKg/lgihg2TDL0jRzd7A9PXA8ZrQCdHyjo DR9g97F30LDbwK4nhCAJ9aU= =XDYz -----END PGP SIGNATURE-----
|
|
11-02-2007
|
|||
|
|||
|
Re: Spamproofing a send mail script
"Brendan Gillatt" <brendanREMOVETHIS@brendanREMOVETHISgillatt.co.u k> wrote in message news:fvqdnduuN-bqurfaRVnyggA@pipex.net... >> >> > > You _must_ check for newlines in form to e-mail scripts. If not, a > malicious user can add their own headers. Thanks Brendan.
|
Linear Mode
