[PHP] Blocking Values From an External Source
Hi, I have a script on my site for processing values sent from a contact form and emailing them to the webmaster. The script has been abused by spammers and my hosting company has recommended that I change the script to only accept information posted from my own URL. Could someone tell me how this can be done please? Thanks for your advice. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
On Dec 16, 2005, at 11:50 AM, Shaun wrote: I have a script on my site for processing values sent from a contact form and emailing them to the webmaster. The script has been abused by spammers and my hosting company has recommended that I change the script to only accept information posted from my own URL. Could someone tell me how this can be done please? Hello, Maybe try using: $_SERVER['DOCUMENT_ROOT'] Or, something similar. http://us2.php.net/reserved.variables Hth, Cheers, Micky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
Or try
$defined['hostname'] = ALLOWED_DOMAIN_NAME;
if ($_SERVER['SERVER_NAME'] != $defined['hostname']) {
echo Not from my domain pal;
}
Michael Hulse wrote:
On Dec 16, 2005, at 11:50 AM, Shaun wrote:
I have a script on my site for processing values sent from a contact
form
and emailing them to the webmaster. The script has been abused by
spammers
and my hosting company has recommended that I change the script to only
accept information posted from my own URL. Could someone tell me how
this
can be done please?
Hello,
Maybe try using:
$_SERVER['DOCUMENT_ROOT']
Or, something similar.
http://us2.php.net/reserved.variables
Hth,
Cheers,
Micky
--
Jason Gerfen
Oh I have seen alot of what
the world can do, and its
breaking my heart in two...
~ Wild World, Cat Stevens
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
On Dec 16, 2005, at 12:05 PM, Michael Hulse wrote: http://us2.php.net/reserved.variables Check this post in the comment section of above url: Zoic 20-Sep-2005 11:39 I just wrote up this function to secure forms on my site so that you can't submit a form from anywhere but your site. This is extremely effective in securing your forms from hacking attempts. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Blocking Values From an External Source
- Original Message -
From: Shaun [EMAIL PROTECTED]
To: php-general@lists.php.net
Sent: Friday, December 16, 2005 7:50 PM
Subject: [PHP] Blocking Values From an External Source
Hi,
I have a script on my site for processing values sent from a contact form
and emailing them to the webmaster. The script has been abused by spammers
and my hosting company has recommended that I change the script to only
accept information posted from my own URL. Could someone tell me how this
can be done please?
If your script is being abused through mail headers injection, making it
only accept information being posted from your own url won't work.
First set a max length in your from e mail address text box and validate
that. For example:
if (strlen($_POST['email']) SOME_NUMBER ){
die (E Mail Address Too Long);
}
Next, validate your e mail address to the rfc standard, there's a good
tutorial here: http://www.iamcal.com/publish/articles/php/parsing_email/
If you validate it using the function in the article your form will be
bulletproof as far as headers injection goes as the rfc standard does not
allow a '\' or ':' in the address. If you follow your isp's advice and still
allow invalid input from your form you're leaving yourself wide open to
header injection. For example someone can still input
[EMAIL PROTECTED]: [EMAIL PROTECTED]
into the from address field. Who needs a bot to post that info when a single
click on a form can see your script used to spam a stack of recipients? To
put it another way, is it worth validating the source of your input if
you're not going to validate the input itself?
HTH
Cheers
Matt
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
