php-general Digest 12 Mar 2006 12:39:06 -0000 Issue 4011
Topics (messages 231797 through 231800):
Re: Possible hacker using php script to send e-mails?
231797 by: Manuel Lemos
231799 by: Julius Hacker
Re: PHP/CSS/Javascript question
231798 by: Jesús Fernández
mb_strpos index woes
231800 by: joseph
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Hello,
on 03/11/2006 04:12 PM Rasmus Lerdorf said the following:
>>> I am running php 4.x on a suse 9.x machine. There is a php script which
>>> resides
>>> on a webapp that is responsible for sending e-mail to myself in case of
>>> errors like db-errors or similar. Called error.php
>>> This script does include phpmailer and uses it to send the e-mails to
>>> me.
>>> Now I am receiving on the e-mail specified as TO: e-mails with different
>>> subject
>>> than specified and different text?! All english text with wired
>>> sentences, must be a bot or so. How is this possible? The subject line
>>> is fixed and right after that commend send is executed. So no idea how
>>> they do it and how I can prevent it. It looks like this:
>>> $mail->Subject = 'Fehlerbericht';
>>> $mail->Send();
>>> How is it possible that they change this subject line? I checked the
>>> server log and each time an e-mail has been sent to me of that kind
>>> there is a logentry in apache log that says that this script has been
>>> executed. So the e-mails definatelly come from that script?!
>>
>> If you are setting message headers with untrusted values that may
>> contain line breaks, that is your problem. Line breaks make mail systems
>> interpret the next line as a new header. That header may be used to
>> inject new recipients for instance using Bcc: .
>>
>> You can have line breaks in header but you need to escape them properly
>> so they are interpreted as continuation lines rather than new headers.
>
> That is only true for the additional_headers (4th) argument to the mail
> function. That argument is specifically for doing free-form headers, so
> as long as you only use the to, subject and message arguments to the
> mail function you are safe.
That is what I said, sending headers with untrusted values, so people
have to use the 4th argument to set for instance the From: header. This
From: header is often set to values set in forms to the e-mail address
and name of the person that is trying to contact the site people. That
is usually from where most the PHP mail form abuses come from.
As I said line breaks in the From: or other headers are not invalid.
Actually line breaks should be used to comply with RFC recommendations
and do not exceed the 78/998 line length limit. When these limits are
exceeded, messages may arrive corrupted.
The mail function is a better than nothing solution. It can still be
used but to send RFC compliant messages, often it is necessary to
correctly format message contents. That is why I always recommend this
or other class that takes care of those (many) details:
http://www.phpclasses.org/mimemessage
--
Regards,
Manuel Lemos
Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--- End Message ---
--- Begin Message ---
Merlin wrote:
> Hi there,
>
> I am running php 4.x on a suse 9.x machine. There is a php script
> which resides
> on a webapp that is responsible for sending e-mail to myself in case
> of errors like db-errors or similar. Called error.php
> This script does include phpmailer and uses it to send the e-mails to me.
> Now I am receiving on the e-mail specified as TO: e-mails with
> different subject
> than specified and different text?! All english text with wired
> sentences, must be a bot or so. How is this possible? The subject line
> is fixed and right after that commend send is executed. So no idea how
> they do it and how I can prevent it. It looks like this:
> $mail->Subject = 'Fehlerbericht';
> $mail->Send();
> How is it possible that they change this subject line? I checked the
> server log and each time an e-mail has been sent to me of that kind
> there is a logentry in apache log that says that this script has been
> executed. So the e-mails definatelly come from that script?!
>
> Can anybody help?
>
> Regards, Merlin
>
Simply check whether the script using the error.php is including it (I
think you include the error.php, right?).
E. g. you can set a variable in your other script and check in the
error.php wether the variable is set or not.
This way only your script can use the error.php and noboy can abuse it :)
--
Regards
Julius Hacker
http://www.julius-hacker.de
[EMAIL PROTECTED]
OpenPGP-Key-ID: 0x4B4A486E
--- End Message ---
--- Begin Message ---
On 3/11/06, Paul Goepfert <[EMAIL PROTECTED]> wrote:
>
> Hi all,
>
> Is it possible to modify a table using JavaScript to control CSS
> visabilty when the entire table is developed dynamically using PHP?
http://www.google.es/search?q=javascript+change+visibility&start=0&ie=utf-8&oe=utf-8&client=firefox&rls=org.mozilla:en-US:unofficial
It shows some good examples. Look the firsts results.
I think PHP has nothing to do here, it just writes the table to html, but if
you do a good JS function and your PHP'd html has id's, it should work fine.
Thanks,
> Paul
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Esú - http://esu.proyectoanonimo.com
http://www.proyectoanonimo.com
--- End Message ---
--- Begin Message ---
hello world.
(my first email)
well, i have this problem with mb_strpos which returns a position for
me. the position is an index into the string, supposedly.
everything works fine excpet for when i index into the array.
i wish to confirm that the position is the character count not the byte
count into the string.
thank you very much.
if i am correct, i would request a change of the word 'character' in
here to mean multi-byte character for clarity sake
mb_strpos() performs multi-byte safe strpos() operation based on number
of characters. needle position is counted from the beginning of the
haystack. First character's position is 0. Second character position is
1, and so on.
code is this:
$french2=<<<SXR
<BR>Il m'arrive d'être égoiste. Je sais.<BR><BR><IMG height=446
src="http://www.u-blog.net/bezabel/img/bdFM-oueb2.jpg"; width=400
border=0><BR>(<A href="http://blogdamned.free.fr/?2005/05";>Blog
DAmned</A> pour en savoir plus)
SXR;
$match_pos = mb_strpos($target, $split_pattern,
$present_offset,'UTF-8');
// check for false omitted
while (($match_pos || $first) && $present_offset
< $len ) {
// check for 0 omitted
$diff = $match_pos-$present_offset;
$word = mb_substr($target, $present_offset, $diff);
$mb_len = mb_strlen($word);
if ($mb_len != $diff) if ($debug_my_mb) echo "$mb_len and $diff
are not equal<br>";
$match_pos2 = $mb_len + $present_offset;
if ($match_pos2 != $match_pos) if ($debug_my_mb) echo
"$match_pos and $match_pos2 are not equal<br>";
TEHY ARE EQUAL, HOWEVER
if ($target[$match_pos] != $split_pattern) if ($debug_my_mb)
echo "<br>mismatch of $next_word and $split_pattern<br>";
SAYS IT IS A MISMATCH
therefore must return character count, not byte count.
--- End Message ---
![http://www.u-blog.net/bezabel/img/bdFM-oueb2.jpg"](http://www.u-blog.net/bezabel/img/bdFM-oueb2.jpg"){kind=link}