Re: [PHP] php 'mail()' security
No, but thanks, the other input is more towards what I was looking for. I want to take in an email address, and various other fields. Then, send an email using 'mail()' with the other fields as the 'body', and the email address as the 'reply_to' address, to someone in my company. That way, they can read the submitted information, and then just hit 'reply' on their mail program when they want to comment on the material. "Tech Support" <[EMAIL PROTECTED]> wrote: > > I think you are looking for something different. > > do this: > > print ""; > print_r($_SERVER); > print ""; > > You will see a whole bunch of useful globals. As a matter of fact, try this > one out too: > > print ""; > print_r($GLOBALS); > print ""; > > Jim Grill > Support > Web-1 Hosting > http://www.web-1hosting.net > - Original Message - > From: "Bob Lockie" <[EMAIL PROTECTED]> > To: "Dennis Gearon" <[EMAIL PROTECTED]>; "Tech Support" > <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Sunday, July 28, 2002 1:19 PM > Subject: Re: [PHP] php 'mail()' security > > > > > >There is no substitute for good data verification such as strip_tags() or > > >some regular expressions to limit valid input. I also would recomend > > >checking the referrer to be sure someone doesn't hijack you form and try > to > > >modify it and submit it from a remote location. Here is an example: > > > > > >if (validReferrer() === false) > > > die("invalid referrer"); > > > > > >function validReferrer() > > >{ > > > $_valid_referrers = > > >array("www.yoursite.com","www2.yoursite.com","yoursite.com"); > > > $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']); > > > $ref = explode('/', $referer); > > > if ( in_array($ref[1], $_valid_referrers) ) > > > return true; > > > else > > > return false; > > >} > > > > That is a good idea. > > $_SERVER['HTTP_REFERER'] is the web server identifier, right? > > My web server is 10.0.0.5 from the internal LAN. > > I am hesitant to allow HTTP_REFERERs from 10.0.0.5 because it seems to me > that it would be easy enough to configure a strange box > > to imitate 10.0.0.5. > > Can I somehow check that the HTTP_REFERER = localhost? > > > > > > > > > > - Joy is just a thing (to be).. raised on, Love is just the way to Live and Die, John Denver. - He lost a friend, but kept his Memory (also John Denver), Thank you...John Corones...my friend always. - Look lovingly upon the present, for it holds the only things that are forever true. - Sincerely, Dennis Gearon (Kegley) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
I think you are looking for something different. do this: print ""; print_r($_SERVER); print ""; You will see a whole bunch of useful globals. As a matter of fact, try this one out too: print ""; print_r($GLOBALS); print ""; Jim Grill Support Web-1 Hosting http://www.web-1hosting.net - Original Message - From: "Bob Lockie" <[EMAIL PROTECTED]> To: "Dennis Gearon" <[EMAIL PROTECTED]>; "Tech Support" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, July 28, 2002 1:19 PM Subject: Re: [PHP] php 'mail()' security > > >There is no substitute for good data verification such as strip_tags() or > >some regular expressions to limit valid input. I also would recomend > >checking the referrer to be sure someone doesn't hijack you form and try to > >modify it and submit it from a remote location. Here is an example: > > > >if (validReferrer() === false) > > die("invalid referrer"); > > > >function validReferrer() > >{ > > $_valid_referrers = > >array("www.yoursite.com","www2.yoursite.com","yoursite.com"); > > $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']); > > $ref = explode('/', $referer); > > if ( in_array($ref[1], $_valid_referrers) ) > > return true; > > else > > return false; > >} > > That is a good idea. > $_SERVER['HTTP_REFERER'] is the web server identifier, right? > My web server is 10.0.0.5 from the internal LAN. > I am hesitant to allow HTTP_REFERERs from 10.0.0.5 because it seems to me that it would be easy enough to configure a strange box > to imitate 10.0.0.5. > Can I somehow check that the HTTP_REFERER = localhost? > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
>There is no substitute for good data verification such as strip_tags() or >some regular expressions to limit valid input. I also would recomend >checking the referrer to be sure someone doesn't hijack you form and try to >modify it and submit it from a remote location. Here is an example: > >if (validReferrer() === false) > die("invalid referrer"); > >function validReferrer() >{ > $_valid_referrers = >array("www.yoursite.com","www2.yoursite.com","yoursite.com"); > $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']); > $ref = explode('/', $referer); > if ( in_array($ref[1], $_valid_referrers) ) > return true; > else > return false; >} That is a good idea. $_SERVER['HTTP_REFERER'] is the web server identifier, right? My web server is 10.0.0.5 from the internal LAN. I am hesitant to allow HTTP_REFERERs from 10.0.0.5 because it seems to me that it would be easy enough to configure a strange box to imitate 10.0.0.5. Can I somehow check that the HTTP_REFERER = localhost? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php 'mail()' security
HTTP_REFERRER can be spoofed quite easily with some browsers. The best way to handle this is to provide as much of your own data as possible, and validate anything you do end up using from the user. For instance, use your own subject, make sure the To: address comes from you (a file or database, whatever), etc... Make sure anything coming from the user, that you put into the headers, subject, from, reply-to, etc... do not have any line breaks. A simple str_replace or something to remove them, or pop up an error if they are there, will work. The less user data you can use the better. It gives them less of a chance to insert extra headers, which is pretty much the only threat. If there's a possibility of the email not being shown as plain text, then you'll want to use striptags() like others mentioned. ---John Holmes... > -Original Message- > From: Tech Support [mailto:[EMAIL PROTECTED]] > Sent: Sunday, July 28, 2002 10:57 AM > To: Dennis Gearon; Bob Lockie > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] php 'mail()' security > > There is no substitute for good data verification such as strip_tags() or > some regular expressions to limit valid input. I also would recomend > checking the referrer to be sure someone doesn't hijack you form and try > to > modify it and submit it from a remote location. Here is an example: > > if (validReferrer() === false) > die("invalid referrer"); > > function validReferrer() > { > $_valid_referrers = > array("www.yoursite.com","www2.yoursite.com","yoursite.com"); > $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']); > $ref = explode('/', $referer); > if ( in_array($ref[1], $_valid_referrers) ) > return true; > else > return false; > } > > Jim Grill > Support > Web-1 Hosting > http://www.web-1hosting.net > - Original Message - > From: "Dennis Gearon" <[EMAIL PROTECTED]> > To: "Bob Lockie" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Saturday, July 27, 2002 10:54 PM > Subject: Re: [PHP] php 'mail()' security > > > > What I meant was, how to sanitize the input on the forms so that > > malicious stuff cannot be put as commands, etc. in the email address, or > > body, or 'extra' field of the 'mail()' function in PHP. > > -- > > - > > Joy is just a thing (to be).. raised on, > > Love is just the way to Live and Die, > > John Denver. > > - > > He lost a friend, but kept his Memory (also John Denver), > > Thank you...John Corones...my friend always. > > - > > Look lovingly upon the present, > > for it holds the only things that are forever true. > > - > > Sincerely, Dennis Gearon (Kegley) > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
There is no substitute for good data verification such as strip_tags() or some regular expressions to limit valid input. I also would recomend checking the referrer to be sure someone doesn't hijack you form and try to modify it and submit it from a remote location. Here is an example: if (validReferrer() === false) die("invalid referrer"); function validReferrer() { $_valid_referrers = array("www.yoursite.com","www2.yoursite.com","yoursite.com"); $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']); $ref = explode('/', $referer); if ( in_array($ref[1], $_valid_referrers) ) return true; else return false; } Jim Grill Support Web-1 Hosting http://www.web-1hosting.net - Original Message - From: "Dennis Gearon" <[EMAIL PROTECTED]> To: "Bob Lockie" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, July 27, 2002 10:54 PM Subject: Re: [PHP] php 'mail()' security > What I meant was, how to sanitize the input on the forms so that > malicious stuff cannot be put as commands, etc. in the email address, or > body, or 'extra' field of the 'mail()' function in PHP. > -- > - > Joy is just a thing (to be).. raised on, > Love is just the way to Live and Die, > John Denver. > - > He lost a friend, but kept his Memory (also John Denver), > Thank you...John Corones...my friend always. > - > Look lovingly upon the present, > for it holds the only things that are forever true. > - > Sincerely, Dennis Gearon (Kegley) > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
- strip_tags() will remove HTML and PHP code from a string - there is a great function set which validates email address' to ensure the email address is in the correct format available from killersoft: http://killersoft.com/modules.php?op=modload&name=News&file=article&sid=2 - ensuring there are no newlines (\n) in the email address, subject, etc etc will ensure that they aren't sneaking another email header into an existing header. Justin French on 28/07/02 1:54 PM, Dennis Gearon ([EMAIL PROTECTED]) wrote: > What I meant was, how to sanitize the input on the forms so that > malicious stuff cannot be put as commands, etc. in the email address, or > body, or 'extra' field of the 'mail()' function in PHP. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
What I meant was, how to sanitize the input on the forms so that malicious stuff cannot be put as commands, etc. in the email address, or body, or 'extra' field of the 'mail()' function in PHP. -- - Joy is just a thing (to be).. raised on, Love is just the way to Live and Die, John Denver. - He lost a friend, but kept his Memory (also John Denver), Thank you...John Corones...my friend always. - Look lovingly upon the present, for it holds the only things that are forever true. - Sincerely, Dennis Gearon (Kegley) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php 'mail()' security
On Sat, 27 Jul 2002 17:31:16 -0700, Dennis Gearon wrote: >How can I make my form which entered by a user, then sent to a company >employee, secure, not vulnerable attack? >-- >- >Joy is just a thing (to be).. raised on, >Love is just the way to Live and Die, > John Denver. >- >He lost a friend, but kept his Memory (also John Denver), > Thank you...John Corones...my friend always. >- >Look lovingly upon the present, >for it holds the only things that are forever true. >- > Sincerely, Dennis Gearon (Kegley) Setup SSL on your web server. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP mail() security hole on 4.0.5+
> > -Original Message- > > From: Michael Geier, CDM Systems Admin [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, July 19, 2001 9:39 AM > > To: PHP Mailing List > > Subject: [PHP] PHP mail() security hole on 4.0.5+ > > > > > > http://www.net-security.org/text/bugs/995534103,28541,.shtml > > Anyone have suggestions on a quick fix for this? Is there some sort of > validation on the user input that should be done? Note that it is only a problem on shared servers where safe-mode is turned on. For those servers a really quick-fix is to disable the mail function in your php.ini file. A better fix is to apply this patch: http://cvs.php.net/viewcvs.cgi/php4/ext/standard/mail.c.diff?r1=text&tr1=1.33&r2=text&tr2=1.38&diff_format=u -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP mail() security hole on 4.0.5+
> -Original Message- > From: Michael Geier, CDM Systems Admin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 19, 2001 9:39 AM > To: PHP Mailing List > Subject: [PHP] PHP mail() security hole on 4.0.5+ > > > http://www.net-security.org/text/bugs/995534103,28541,.shtml Anyone have suggestions on a quick fix for this? Is there some sort of validation on the user input that should be done? TIA Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]