On Mon, April 4, 2005 2:00 pm, Eric Gorr said:
I wanted to setup a good 'contact me' page on my website. I do not want
to reveal my e-mail address, so I was going to use a form.
The PHP script with the actual mail() function would define the To and
Subject parameters, so these could not be
Richard Lynch wrote:
On Mon, April 4, 2005 2:00 pm, Eric Gorr said:
I wanted to setup a good 'contact me' page on my website. I do not want
to reveal my e-mail address, so I was going to use a form.
The PHP script with the actual mail() function would define the To and
Subject parameters, so these
On Tue, April 5, 2005 9:22 pm, Eric Gorr said:
It's possible, though extremely unlikely, that somebody could construct
a
malicious email that passes through strip_tags and/or htmlentities and
still does something *bad* for your particular email application.
Can you give an example?
No, I
Eric Gorr mailto:[EMAIL PROTECTED]
on Monday, April 04, 2005 2:01 PM said:
The only concern I had was how to process the body text. Any
recommendations?
One useful function would appear to be strip_tags, so no one could
embed annoying or destructive HTML, etc. which I may accidentally
Chris W. Parker wrote:
www.php.net/addslashes
I am uncertain what dangerous/annoying things might happen if I did not
call this function. Can you come up with any?
Remember, the text being processed goes straight from $_POST[ 'body' ]
through strip_tags (+ more?) into mail().
It would seem
Eric Gorr wrote:
Any other suggestions?
Well see this example :
function clean_body($body_text) {
if(ini_get('magic_quotes_gpc')) $body_text =
stripslashes($body_text); // If magic_quotes are on, strip the
extra-added slashes
return htmlentities($body_text); // Return the value
}
This is
Eric Gorr mailto:[EMAIL PROTECTED]
on Monday, April 04, 2005 3:13 PM said:
Remember, the text being processed goes straight from $_POST[ 'body' ]
through strip_tags (+ more?) into mail().
Remember? You didn't mention this is your original email so how could I
be told to recall this
Chris W. Parker wrote:
It seems as if strip_tags strip out everything that htmlentities would
change and would therefore be unnecessary.
strip_tags() and htmlentities() both perform seperate functions (hence
they have different names). htmlentities() encodes special characters,
strip_tags()
Josip Dzolonga wrote:
Eric Gorr wrote:
Any other suggestions?
Well see this example :
function clean_body($body_text) {
if(ini_get('magic_quotes_gpc')) $body_text =
stripslashes($body_text); // If magic_quotes are on, strip the
extra-added slashes
return htmlentities($body_text); //
Eric Gorr wrote:
Shouldn't strip_tags be enough? What dangerous/annoying things might
happen if I replaced htmlentities with strip_tags in the above
function and then passed the body text to the mail() function?
Nothing, but with htmlentities() you can be sure if the user has tried
to inject
Eric Gorr mailto:[EMAIL PROTECTED]
on Monday, April 04, 2005 3:48 PM said:
htmlentities would potentially make the body text messier then seems
necessary.
Then just use strip_tags() and be done with it.
It's not like nuclear missiles are going to be launched via your email
form if you use
Chris W. Parker wrote:
Or in a less extreme case, your
computer get hijacked and used to send spam because you used
htmlentities() instead of strip_tags().
Well, this is why I asked the question to begin with. I am concerned (as
everyone _should_ be) about such things and desire to do my best to
Eric,
It sounds like you just need to do some reading on best practices of
security when writing php code. It's pretty vast what one can do when
trying to hack a php application and depending on what php server
settings are set, you may need to do certain things. I'd suggesting
reading / google
Anthony Tippett wrote:
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
thank you for the suggestion.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Anthony Tippett wrote:
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
Actually, I am familiar with everything this document mentions.
Unfortunately, this document does not discuss what one might need to be
concerned about when passing text to the body parameter of the mail()
function.
If
15 matches
Mail list logo
