Has anyone developed a really good defense against email injection attacks?
I'm waging a prolonged campaign against these luser hordes on a number
of non-profit sites I help maintain. I've tried to secure all of the
feedback forms using the function below that I cobbled together from
various php
- The most foolproof solution I can think of would be to continue
logging the successful entries to a database and _not_ send the email.
That way even if they get through, no emails get sent. The form would
log the feedback and send an email to the admin that a comment is
available for
Greg Schnippel wrote:
Has anyone developed a really good defense against email injection attacks?
I'm waging a prolonged campaign against these luser hordes on a number
of non-profit sites I help maintain. I've tried to secure all of the
feedback forms using the function below that I cobbled
Why dont you just break the code. Before anything goes through replace
colons with dashes, dashes with underscores, etc. Stuff that will not mess
up readability but would prevent it from being parsed by the mail function.
On 2/6/06, Jim Moseby [EMAIL PROTECTED] wrote:
- The most foolproof
On 2/6/06, Jim Moseby wrote:
Is it time to abandon using mail() for all user contributed data?
Sort of. Don't write any user input to the headers.
Send the data to a default address, don't include anything in the
subject or the headers from the input and you'll avoid the problems.
--
Kind
Greg Schnippel wrote:
Has anyone developed a really good defense against email injection attacks?
I've implemented a complex algorithm to help prevent this problem. Every
form I have has a text field with a random name surrounded by the
text... If you are human please enter 'human'
Greg Schnippel wrote:
Has anyone developed a really good defense against email injection attacks?
snip
A bit late but this is a good guide:
http://securephp.damonkohler.com/index.php/Email_Injection
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
7 matches
Mail list logo
