[PHP] Blocking Values From an External Source
Hi, I have a script on my site for processing values sent from a contact form and emailing them to the webmaster. The script has been abused by spammers and my hosting company has recommended that I change the script to only accept information posted from my own URL. Could someone tell me how this can be done please? Thanks for your advice. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
On Dec 16, 2005, at 11:50 AM, Shaun wrote: I have a script on my site for processing values sent from a contact form and emailing them to the webmaster. The script has been abused by spammers and my hosting company has recommended that I change the script to only accept information posted from my own URL. Could someone tell me how this can be done please? Hello, Maybe try using: $_SERVER['DOCUMENT_ROOT'] Or, something similar. http://us2.php.net/reserved.variables Hth, Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
Or try $defined['hostname'] = ALLOWED_DOMAIN_NAME; if ($_SERVER['SERVER_NAME'] != $defined['hostname']) { echo Not from my domain pal; } Michael Hulse wrote: On Dec 16, 2005, at 11:50 AM, Shaun wrote: I have a script on my site for processing values sent from a contact form and emailing them to the webmaster. The script has been abused by spammers and my hosting company has recommended that I change the script to only accept information posted from my own URL. Could someone tell me how this can be done please? Hello, Maybe try using: $_SERVER['DOCUMENT_ROOT'] Or, something similar. http://us2.php.net/reserved.variables Hth, Cheers, Micky -- Jason Gerfen Oh I have seen alot of what the world can do, and its breaking my heart in two... ~ Wild World, Cat Stevens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
On Dec 16, 2005, at 12:05 PM, Michael Hulse wrote: http://us2.php.net/reserved.variables Check this post in the comment section of above url: Zoic 20-Sep-2005 11:39 I just wrote up this function to secure forms on my site so that you can't submit a form from anywhere but your site. This is extremely effective in securing your forms from hacking attempts. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
- Original Message - From: Shaun [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Friday, December 16, 2005 7:50 PM Subject: [PHP] Blocking Values From an External Source Hi, I have a script on my site for processing values sent from a contact form and emailing them to the webmaster. The script has been abused by spammers and my hosting company has recommended that I change the script to only accept information posted from my own URL. Could someone tell me how this can be done please? If your script is being abused through mail headers injection, making it only accept information being posted from your own url won't work. First set a max length in your from e mail address text box and validate that. For example: if (strlen($_POST['email']) SOME_NUMBER ){ die (E Mail Address Too Long); } Next, validate your e mail address to the rfc standard, there's a good tutorial here: http://www.iamcal.com/publish/articles/php/parsing_email/ If you validate it using the function in the article your form will be bulletproof as far as headers injection goes as the rfc standard does not allow a '\' or ':' in the address. If you follow your isp's advice and still allow invalid input from your form you're leaving yourself wide open to header injection. For example someone can still input [EMAIL PROTECTED]: [EMAIL PROTECTED] into the from address field. Who needs a bot to post that info when a single click on a form can see your script used to spam a stack of recipients? To put it another way, is it worth validating the source of your input if you're not going to validate the input itself? HTH Cheers Matt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php