| My contact form is not emailed to me [message #173506] |
Sat, 16 April 2011 07:36  |
nathanir
Messages: 3
Registered: April 2011
Karma: 0
|
Junior Member |
|
|
I have a contact form on my contact page.I can fill in the form and
when I click the submit button, I am redirected to the success page
but I dont receive an email. I did a test with a simple php mail test
form and that works! I have been at it for some time trying to find
the error. Please help
The relevant code is: (for the contact form)
<form action="process-form.php" method="post" enctype="application/x-
www-form-urlencoded" target="_blank" id="formMail">
<span id="textNameField">
<label for="name"></label>
<input type="text" name="name" id="name" />
<span class="textfieldRequiredMsg">A value is required.</
span><span class="textfieldMinCharsMsg">Minimum number of characters
not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
number of characters.</span></span><span id="textEmailField"><br />
<br />
<label for="email"></label>
<input type="text" name="email" id="email" />
<span class="textfieldRequiredMsg">A value is required.</
span ><span class="textfieldInvalidFormatMsg">Invalid format.</
span><span class="textfieldMinCharsMsg">Minimum number of characters
not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
number of characters.</span></span>
</p>
<p> </p>
<p><span id="SelectionText">
<label for="select">Purpose</label>
<select name="select" id="select">
<option value="Appointment" selected="selected">Appointment</
option>
<option value="Comment">Comment</option>
<option value="Question">Question</option>
</select>
<span class="selectRequiredMsg">Please select an item.</span></
span></p>
<p><span id="textinput">
<textarea name="textinput" id="textinput" cols="45"
rows="5"></textarea>
<span id="countsprytextarea1"> </span><span
class="textareaRequiredMsg">A value is required.</span><span
class="textareaMinCharsMsg">Minimum number of characters not met.</
span><span class="textareaMaxCharsMsg">Exceeded maximum number of
characters.</span></span></p>
<p>
<input type="submit" name="submit" id="submit"
value="Submit" />
<input type="reset" name="reset" id="reset" value="Reset" /
>
</p>
<p> </p>
</form>
the processing php form has this code
<?php
// Pick up the form data and assign it to variables
$name = check_input($_POST['name']);
$email = check_input($_POST['email']);
$select = $_POST['select'];
$textinput = check_input($_POST['textinput']);
// Build the email (replace the address in the $to section with your
own)
$ToEmail = 'rajesh(at)childsurgeon(dot)com';
$Emailsubject = "New message: $select";
$MESSAGE_BODY = "$name said: $textinput";
$mailheader = "From: $email";
// Send the mail using PHPs mail() function
mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
// Redirect
header("Location: success.html");
function check_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
|
|
|
|
| Re: My contact form is not emailed to me [message #173508 is a reply to message #173506] |
Sat, 16 April 2011 14:04  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/16/2011 3:36 AM, nathanir wrote:
> I have a contact form on my contact page.I can fill in the form and
> when I click the submit button, I am redirected to the success page
> but I dont receive an email. I did a test with a simple php mail test
> form and that works! I have been at it for some time trying to find
> the error. Please help
> The relevant code is: (for the contact form)
> <form action="process-form.php" method="post" enctype="application/x-
> www-form-urlencoded" target="_blank" id="formMail">
> <span id="textNameField">
> <label for="name"></label>
> <input type="text" name="name" id="name" />
> <span class="textfieldRequiredMsg">A value is required.</
> span><span class="textfieldMinCharsMsg">Minimum number of characters
> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
> number of characters.</span></span><span id="textEmailField"><br />
> <br />
> <label for="email"></label>
> <input type="text" name="email" id="email" />
> <span class="textfieldRequiredMsg">A value is required.</
> span ><span class="textfieldInvalidFormatMsg">Invalid format.</
> span><span class="textfieldMinCharsMsg">Minimum number of characters
> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
> number of characters.</span></span>
> </p>
> <p> </p>
> <p><span id="SelectionText">
> <label for="select">Purpose</label>
> <select name="select" id="select">
> <option value="Appointment" selected="selected">Appointment</
> option>
> <option value="Comment">Comment</option>
> <option value="Question">Question</option>
> </select>
> <span class="selectRequiredMsg">Please select an item.</span></
> span></p>
> <p><span id="textinput">
> <textarea name="textinput" id="textinput" cols="45"
> rows="5"></textarea>
> <span id="countsprytextarea1"> </span><span
> class="textareaRequiredMsg">A value is required.</span><span
> class="textareaMinCharsMsg">Minimum number of characters not met.</
> span><span class="textareaMaxCharsMsg">Exceeded maximum number of
> characters.</span></span></p>
> <p>
> <input type="submit" name="submit" id="submit"
> value="Submit" />
> <input type="reset" name="reset" id="reset" value="Reset" /
>>
> </p>
> <p> </p>
> </form>
> the processing php form has this code
>
> <?php
> // Pick up the form data and assign it to variables
> $name = check_input($_POST['name']);
> $email = check_input($_POST['email']);
> $select = $_POST['select'];
> $textinput = check_input($_POST['textinput']);
>
>
> // Build the email (replace the address in the $to section with your
> own)
> $ToEmail = 'rajesh(at)childsurgeon(dot)com';
> $Emailsubject = "New message: $select";
> $MESSAGE_BODY = "$name said: $textinput";
> $mailheader = "From: $email";
>
> // Send the mail using PHPs mail() function
> mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>
> // Redirect
> header("Location: success.html");
>
> function check_input($data)
> {
> $data = trim($data);
> $data = stripslashes($data);
> $data = htmlspecialchars($data);
> return $data;
> }
> ?>
Your code is very unsafe and can make your site a spam relay. Email
forms are nothing to play with; if you don't know what you're doing, you
are much better getting something like phpmailer, which has at least has
some protection built into it.
And why are you using stripslashes() and htmlspecialchars()?
As for why it's failing - there are lots of possibilities. What does
mail() return? Do you have an MTA on your machine (if Linux) or another
machine (if Windows)? Does the MTA require a login before sending?
Did you check the data you're using? i.e. echo the $ToEmail, etc., to
ensure they have what you expect? What does your PHP error log show?
There are lots of possibilities here.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173509 is a reply to message #173508] |
Sat, 16 April 2011 14:36 |
nathanir
Messages: 3
Registered: April 2011
Karma: 0
|
Junior Member |
|
|
On Apr 16, 7:04 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> On 4/16/2011 3:36 AM, nathanir wrote:
>
>
>
>> I have a contact form on my contact page.I can fill in the form and
>> when I click the submit button, I am redirected to the success page
>> but I dont receive an email. I did a test with a simple php mail test
>> form and that works! I have been at it for some time trying to find
>> the error. Please help
>> The relevant code is: (for the contact form)
>> <form action="process-form.php" method="post" enctype="application/x-
>> www-form-urlencoded" target="_blank" id="formMail">
>> <span id="textNameField">
>> <label for="name"></label>
>> <input type="text" name="name" id="name" />
>> <span class="textfieldRequiredMsg">A value is required..</
>> span><span class="textfieldMinCharsMsg">Minimum number of characters
>> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
>> number of characters.</span></span><span id="textEmailField"><br />
>> <br />
>> <label for="email"></label>
>> <input type="text" name="email" id="email" />
>> <span class="textfieldRequiredMsg">A value is required..</
>> span ><span class="textfieldInvalidFormatMsg">Invalid format.</
>> span><span class="textfieldMinCharsMsg">Minimum number of characters
>> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
>> number of characters.</span></span>
>> </p>
>> <p> </p>
>> <p><span id="SelectionText">
>> <label for="select">Purpose</label>
>> <select name="select" id="select">
>> <option value="Appointment" selected="selected">Appointment</
>> option>
>> <option value="Comment">Comment</option>
>> <option value="Question">Question</option>
>> </select>
>> <span class="selectRequiredMsg">Please select an item.</span></
>> span></p>
>> <p><span id="textinput">
>> <textarea name="textinput" id="textinput" cols="45"
>> rows="5"></textarea>
>> <span id="countsprytextarea1"> </span><span
>> class="textareaRequiredMsg">A value is required.</span><span
>> class="textareaMinCharsMsg">Minimum number of characters not met.</
>> span><span class="textareaMaxCharsMsg">Exceeded maximum number of
>> characters.</span></span></p>
>> <p>
>> <input type="submit" name="submit" id="submit"
>> value="Submit" />
>> <input type="reset" name="reset" id="reset" value="Reset" /
>
>> </p>
>> <p> </p>
>> </form>
>> the processing php form has this code
>
>> <?php
>> // Pick up the form data and assign it to variables
>> $name = check_input($_POST['name']);
>> $email = check_input($_POST['email']);
>> $select = $_POST['select'];
>> $textinput = check_input($_POST['textinput']);
>
>> // Build the email (replace the address in the $to section with your
>> own)
>> $ToEmail = 'raj...@childsurgeon.com';
>> $Emailsubject = "New message: $select";
>> $MESSAGE_BODY = "$name said: $textinput";
>> $mailheader = "From: $email";
>
>> // Send the mail using PHPs mail() function
>> mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>
>> // Redirect
>> header("Location: success.html");
>
>> function check_input($data)
>> {
>> $data = trim($data);
>> $data = stripslashes($data);
>> $data = htmlspecialchars($data);
>> return $data;
>> }
>> ?>
>
> Your code is very unsafe and can make your site a spam relay. Email
> forms are nothing to play with; if you don't know what you're doing, you
> are much better getting something like phpmailer, which has at least has
> some protection built into it.
>
> And why are you using stripslashes() and htmlspecialchars()?
>
> As for why it's failing - there are lots of possibilities. What does
> mail() return? Do you have an MTA on your machine (if Linux) or another
> machine (if Windows)? Does the MTA require a login before sending?
>
> Did you check the data you're using? i.e. echo the $ToEmail, etc., to
> ensure they have what you expect? What does your PHP error log show?
>
> There are lots of possibilities here.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================
Thanks Jerry for your reply. Well I am a newbie setting up my first
website in Dreamweaver. Everywhere I turned, I was instructed on how
essential it was to have one contact form. Further research revealed
http://myphpform.com/final-form.php Since I already had my form on my
contact page, I picked up the necessary php script and tested it out.
I obviously goofed and am in deeper water than what I intended to
tread. However if you will point me to the right path, I am more than
willing to learn.
BTW when I tested this script on my webpage it did send out an email
to me. This one also came from the same site.
<?php
mail('rajesh(at)childsurgeon(dot)com','Test mail','The mail function is
working!');
echo 'Mail sent!';
?>
Rajesh Nathani
|
|
|
|
| Re: My contact form is not emailed to me [message #173511 is a reply to message #173509] |
Sat, 16 April 2011 20:11 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/16/2011 10:36 AM, nathanir wrote:
> On Apr 16, 7:04 pm, Jerry Stuckle<jstuck...@attglobal.net> wrote:
>> On 4/16/2011 3:36 AM, nathanir wrote:
>>
>>
>>
>>> I have a contact form on my contact page.I can fill in the form and
>>> when I click the submit button, I am redirected to the success page
>>> but I dont receive an email. I did a test with a simple php mail test
>>> form and that works! I have been at it for some time trying to find
>>> the error. Please help
>>> The relevant code is: (for the contact form)
>>> <form action="process-form.php" method="post" enctype="application/x-
>>> www-form-urlencoded" target="_blank" id="formMail">
>>> <span id="textNameField">
>>> <label for="name"></label>
>>> <input type="text" name="name" id="name" />
>>> <span class="textfieldRequiredMsg">A value is required.</
>>> span><span class="textfieldMinCharsMsg">Minimum number of characters
>>> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
>>> number of characters.</span></span><span id="textEmailField"><br />
>>> <br />
>>> <label for="email"></label>
>>> <input type="text" name="email" id="email" />
>>> <span class="textfieldRequiredMsg">A value is required.</
>>> span><span class="textfieldInvalidFormatMsg">Invalid format.</
>>> span><span class="textfieldMinCharsMsg">Minimum number of characters
>>> not met.</span><span class="textfieldMaxCharsMsg">Exceeded maximum
>>> number of characters.</span></span>
>>> </p>
>>> <p> </p>
>>> <p><span id="SelectionText">
>>> <label for="select">Purpose</label>
>>> <select name="select" id="select">
>>> <option value="Appointment" selected="selected">Appointment</
>>> option>
>>> <option value="Comment">Comment</option>
>>> <option value="Question">Question</option>
>>> </select>
>>> <span class="selectRequiredMsg">Please select an item.</span></
>>> span></p>
>>> <p><span id="textinput">
>>> <textarea name="textinput" id="textinput" cols="45"
>>> rows="5"></textarea>
>>> <span id="countsprytextarea1"> </span><span
>>> class="textareaRequiredMsg">A value is required.</span><span
>>> class="textareaMinCharsMsg">Minimum number of characters not met.</
>>> span><span class="textareaMaxCharsMsg">Exceeded maximum number of
>>> characters.</span></span></p>
>>> <p>
>>> <input type="submit" name="submit" id="submit"
>>> value="Submit" />
>>> <input type="reset" name="reset" id="reset" value="Reset" /
>>
>>> </p>
>>> <p> </p>
>>> </form>
>>> the processing php form has this code
>>
>>> <?php
>>> // Pick up the form data and assign it to variables
>>> $name = check_input($_POST['name']);
>>> $email = check_input($_POST['email']);
>>> $select = $_POST['select'];
>>> $textinput = check_input($_POST['textinput']);
>>
>>> // Build the email (replace the address in the $to section with your
>>> own)
>>> $ToEmail = 'raj...@childsurgeon.com';
>>> $Emailsubject = "New message: $select";
>>> $MESSAGE_BODY = "$name said: $textinput";
>>> $mailheader = "From: $email";
>>
>>> // Send the mail using PHPs mail() function
>>> mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>>
>>> // Redirect
>>> header("Location: success.html");
>>
>>> function check_input($data)
>>> {
>>> $data = trim($data);
>>> $data = stripslashes($data);
>>> $data = htmlspecialchars($data);
>>> return $data;
>>> }
>>> ?>
>>
>> Your code is very unsafe and can make your site a spam relay. Email
>> forms are nothing to play with; if you don't know what you're doing, you
>> are much better getting something like phpmailer, which has at least has
>> some protection built into it.
>>
>> And why are you using stripslashes() and htmlspecialchars()?
>>
>> As for why it's failing - there are lots of possibilities. What does
>> mail() return? Do you have an MTA on your machine (if Linux) or another
>> machine (if Windows)? Does the MTA require a login before sending?
>>
>> Did you check the data you're using? i.e. echo the $ToEmail, etc., to
>> ensure they have what you expect? What does your PHP error log show?
>>
>> There are lots of possibilities here.
>>
> Thanks Jerry for your reply. Well I am a newbie setting up my first
> website in Dreamweaver. Everywhere I turned, I was instructed on how
> essential it was to have one contact form. Further research revealed
> http://myphpform.com/final-form.php Since I already had my form on my
> contact page, I picked up the necessary php script and tested it out.
> I obviously goofed and am in deeper water than what I intended to
> tread. However if you will point me to the right path, I am more than
> willing to learn.
> BTW when I tested this script on my webpage it did send out an email
> to me. This one also came from the same site.
> <?php
> mail('rajesh(at)childsurgeon(dot)com','Test mail','The mail function is
> working!');
> echo 'Mail sent!';
> ?>
> Rajesh Nathani
Your PHP script is not secure. Before putting a contact forum up on
your site, you really need to understand a lot about security -
otherwise you will quickly become a spam relay and your host will
probably cancel your account (at least a good one will).
And just picking a script when you don't know what you're doing is just
asking for trouble - as in your case.
If you want a good secure contact form, I would suggest you read up on
security and learn how to properly secure your site.
In the meantime, did you do the things I suggested in my previous reply?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173512 is a reply to message #173509] |
Sat, 16 April 2011 20:25 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"nathanir" wrote in message
news:c6e55a71-4746-4038-b6da-c5e7efb2a6b0(at)a11g2000pro(dot)googlegroups(dot)com...
>> // Pick up the form data and assign it to variables
>> $name = check_input($_POST['name']);
>> $email = check_input($_POST['email']);
>> $select = $_POST['select'];
>> $textinput = check_input($_POST['textinput']);
>
>> // Build the email (replace the address in the $to section with your
>> own)
>> $ToEmail = 'raj...@childsurgeon.com';
>> $Emailsubject = "New message: $select";
>> $MESSAGE_BODY = "$name said: $textinput";
>> $mailheader = "From: $email";
>
>> // Send the mail using PHPs mail() function
>> mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
> BTW when I tested this script on my webpage it did send out an email
> to me. This one also came from the same site.
<?php
mail('rajesh(at)childsurgeon(dot)com','Test mail','The mail function is
working!');
echo 'Mail sent!';
?>
I'm not an expert but I do have a similar setup that works, with an HTML
form and a PHP script which sends a confirmation email to myself. I don't
see what's wrong, but some suggestions to try are:
Incorporate a logfile which contains the values of variables such as
$ToEmail, $select, etc.
It may be best to use "selected" as the variable name rather than the
element name "select".
Then you can use the actual variables for your direct test email function.
Also, as Jerry said, check the error logs on the server. And hopefully you
are doing this on a localhost and not yet as a "live" application. It also
should have some security measures, such as a password and a time delay to
thwart DoS attacks such as a barrage of calls to the PHP script thousands of
times per second.
Maybe the experts can help, or even better you may try some things and learn
a lot with eventual success. Good luck.
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173514 is a reply to message #173512] |
Sat, 16 April 2011 21:40 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/16/2011 4:25 PM, P E Schoen wrote:
> "nathanir" wrote in message
> news:c6e55a71-4746-4038-b6da-c5e7efb2a6b0(at)a11g2000pro(dot)googlegroups(dot)com...
>
>>> // Pick up the form data and assign it to variables
>>> $name = check_input($_POST['name']);
>>> $email = check_input($_POST['email']);
>>> $select = $_POST['select'];
>>> $textinput = check_input($_POST['textinput']);
>>
>>> // Build the email (replace the address in the $to section with your
>>> own)
>>> $ToEmail = 'raj...@childsurgeon.com';
>>> $Emailsubject = "New message: $select";
>>> $MESSAGE_BODY = "$name said: $textinput";
>>> $mailheader = "From: $email";
>>
>>> // Send the mail using PHPs mail() function
>>> mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader);
>
>> BTW when I tested this script on my webpage it did send out an email
>> to me. This one also came from the same site.
>
> <?php
> mail('rajesh(at)childsurgeon(dot)com','Test mail','The mail function is
> working!');
> echo 'Mail sent!';
> ?>
>
> I'm not an expert but I do have a similar setup that works, with an HTML
> form and a PHP script which sends a confirmation email to myself. I
> don't see what's wrong, but some suggestions to try are:
>
> Incorporate a logfile which contains the values of variables such as
> $ToEmail, $select, etc.
>
> It may be best to use "selected" as the variable name rather than the
> element name "select".
>
> Then you can use the actual variables for your direct test email
> function. Also, as Jerry said, check the error logs on the server. And
> hopefully you are doing this on a localhost and not yet as a "live"
> application. It also should have some security measures, such as a
> password and a time delay to thwart DoS attacks such as a barrage of
> calls to the PHP script thousands of times per second.
>
> Maybe the experts can help, or even better you may try some things and
> learn a lot with eventual success. Good luck.
>
> Paul
I hope your script is much more secure than Nathan's. Poorly written
script by people who don't understand security are a major problem in PHP.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173518 is a reply to message #173514] |
Sun, 17 April 2011 17:27 |
nathanir
Messages: 3
Registered: April 2011
Karma: 0
|
Junior Member |
|
|
Thanks Jerry and Paul,
You are right - I do not understand php and am now trying to learn it
in a structured manner through the many tutorials available on the
web. I thought I could learn whatever I needed on the fly - on an as
needed basis but that does not seem to be the way to go. As I
mentioned in my earlier post I checked the testmail.php file and that
seemed to work fine.
If you will be kind enough to suggest what you think are good sites to
learn from then I will appreciate any links.
Thanks once again,
Rajesh
|
|
|
|
|
|
|
|
| Re: My contact form is not emailed to me [message #173565 is a reply to message #173520] |
Tue, 19 April 2011 02:30 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:iofj5t$7gi$1(at)dont-email(dot)me...
> On 4/17/2011 3:58 PM, MG wrote:
>> This one is worth reading
>> http://www.damonkohler.com/2008/12/email-injection.html
> Some good descriptions on how it can happen. But one needs to
> read the comments at the end, also - there are several problems
> with his proposed solutions.
I found the article very interesting. As a "casual" newbie user of PHP I
don't fully understand all the issues, but I can see that it can be a real
problem if a hacker really wants to make trouble. My application requires a
user to provide a name and email address from a hard-coded list, and also a
password, before data can be entered. If that is successful, I set a file
lock which blocks any subsequent attempts to access the script, and I add a
deliberate 5 or 10 second delay before completing the processing and
releasing the file lock.
I also run the user input through a filter: http://htmlpurifier.org/ which
seems to work pretty well. I suppose nothing is totally secure, but this is
designed for only a small group of trusted members, and is not really used
very much. In fact, the only ones to have used it over the last several
months have been myself (for testing), and one or two members as they were
learning how to use it.
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173567 is a reply to message #173565] |
Tue, 19 April 2011 02:58 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/18/2011 10:30 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:iofj5t$7gi$1(at)dont-email(dot)me...
>
>> On 4/17/2011 3:58 PM, MG wrote:
>
>>> This one is worth reading
>>> http://www.damonkohler.com/2008/12/email-injection.html
>
>> Some good descriptions on how it can happen. But one needs to
>> read the comments at the end, also - there are several problems
>> with his proposed solutions.
>
> I found the article very interesting. As a "casual" newbie user of PHP I
> don't fully understand all the issues, but I can see that it can be a
> real problem if a hacker really wants to make trouble. My application
> requires a user to provide a name and email address from a hard-coded
> list, and also a password, before data can be entered. If that is
> successful, I set a file lock which blocks any subsequent attempts to
> access the script, and I add a deliberate 5 or 10 second delay before
> completing the processing and releasing the file lock.
>
> I also run the user input through a filter: http://htmlpurifier.org/
> which seems to work pretty well. I suppose nothing is totally secure,
> but this is designed for only a small group of trusted members, and is
> not really used very much. In fact, the only ones to have used it over
> the last several months have been myself (for testing), and one or two
> members as they were learning how to use it.
>
> Paul
Just remember - never trust ANYTHING from the user. You may have email
addresses hardcoded into your forum. But there is NOTHING which says
the request has to come from YOUR form. They can make up any form they
want and send whatever data they want to your page.
And I don't use htmlpurifier, but I would be very surprised if they were
to take out stuff which could be used to make your site a spam relay.
After all, things like newline characters are quite valid input values.
It's how they are used which makes a difference. And htmlpurifier
doesn't know how you're going to use it.
And finally - "only a small group of trusted members" is one of the most
famous lines used by people who got their website hacked. That may be
your intent. But hackers are good at getting around restrictions,
especially if you're not sure of what you're doing.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173571 is a reply to message #173567] |
Tue, 19 April 2011 04:33 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ioito7$1r5$1(at)dont-email(dot)me...
> Just remember - never trust ANYTHING from the user. You may have
> email addresses hardcoded into your forum. But there is NOTHING
> which says the request has to come from YOUR form. They can make
> up any form they want and send whatever data they want to your page.
I realize that, but the authorized names and emails are hard coded in the
PHP script which is invoked from the HTML form using POST variables. Of
course, a hacker could figure that out and use his own form to try to access
the script for mass emailing or whatever, but he would not get past the
authentication without somehow knowing the names and addresses, and then
also the password.
> And I don't use htmlpurifier, but I would be very surprised if they
> were to take out stuff which could be used to make your site a spam
> relay. After all, things like newline characters are quite valid input
> values. It's how they are used which makes a difference. And
> htmlpurifier doesn't know how you're going to use it.
The headers are pretty much hard-coded as well, except for including the
name and email address of the user in the subject. Since they both must pass
strict authentication, additional malevolent headers cannot be injected
there. Everything else is formatted in the body of the message, which is
passed through the purifier.
> And finally - "only a small group of trusted members" is one of the
> most famous lines used by people who got their website hacked.
> That may be your intent. But hackers are good at getting around
> restrictions, especially if you're not sure of what you're doing.
I freely admit to not knowing all (or even most) of the "gotchas", but
without lots of experience or extensive study of the subject, I don't know
how to determine if what I have is "safe". I could probably submit the code
to someone like you (probably for a fee), to review the code and fix the
security leaks, or maybe I could find a benevolent hacker to attempt to hack
the site.
What would be really useful would be a sort of "verifier" that would perform
the usual attempts and then report on the degree of vulnerability. Is such a
service available? I think it would be worth even a moderate "pay per view"
of a dollar or two to obtain such a security risk report. I know that I
would make good use of it, and it would also be helpful to the OP. My own
site is being built on a volunteer basis for a non-profit organization
(Sierra Club Greater Baltimore Group), so our funds are limited. I am
actually hosting their site on my own server, because the portion of the
National site that I am authorized to access does not have CGI capability.
Thanks,
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173579 is a reply to message #173571] |
Tue, 19 April 2011 10:29 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/19/2011 12:33 AM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioito7$1r5$1(at)dont-email(dot)me...
>
>> Just remember - never trust ANYTHING from the user. You may have
>> email addresses hardcoded into your forum. But there is NOTHING
>> which says the request has to come from YOUR form. They can make
>> up any form they want and send whatever data they want to your page.
>
> I realize that, but the authorized names and emails are hard coded in
> the PHP script which is invoked from the HTML form using POST variables.
> Of course, a hacker could figure that out and use his own form to try to
> access the script for mass emailing or whatever, but he would not get
> past the authentication without somehow knowing the names and addresses,
> and then also the password.
>
Which isn't that hard if you aren't using secure socket layer (https:...).
>> And I don't use htmlpurifier, but I would be very surprised if they
>> were to take out stuff which could be used to make your site a spam
>> relay. After all, things like newline characters are quite valid input
>> values. It's how they are used which makes a difference. And
>> htmlpurifier doesn't know how you're going to use it.
>
> The headers are pretty much hard-coded as well, except for including the
> name and email address of the user in the subject. Since they both must
> pass strict authentication, additional malevolent headers cannot be
> injected there. Everything else is formatted in the body of the message,
> which is passed through the purifier.
>
But the subject and from headers are NOT being properly authenticated in
the code you posted earlier.
>> And finally - "only a small group of trusted members" is one of the
>> most famous lines used by people who got their website hacked.
>> That may be your intent. But hackers are good at getting around
>> restrictions, especially if you're not sure of what you're doing.
>
> I freely admit to not knowing all (or even most) of the "gotchas", but
> without lots of experience or extensive study of the subject, I don't
> know how to determine if what I have is "safe". I could probably submit
> the code to someone like you (probably for a fee), to review the code
> and fix the security leaks, or maybe I could find a benevolent hacker to
> attempt to hack the site.
>
That's where you need to study and learn. It isn't that hard, but it
does take some studying.
Sure, you can hire someone to check your code - but you'll be much
better off reading and learning on your own so you can write secure code.
Coding publicly available websites isn't that hard - but it does take
care to ensure they are secure.
> What would be really useful would be a sort of "verifier" that would
> perform the usual attempts and then report on the degree of
> vulnerability. Is such a service available? I think it would be worth
> even a moderate "pay per view" of a dollar or two to obtain such a
> security risk report. I know that I would make good use of it, and it
> would also be helpful to the OP. My own site is being built on a
> volunteer basis for a non-profit organization (Sierra Club Greater
> Baltimore Group), so our funds are limited. I am actually hosting their
> site on my own server, because the portion of the National site that I
> am authorized to access does not have CGI capability.
>
> Thanks,
>
> Paul
There are way too many ways a hacker can get in for a verifier to try to
hack your site. And hackers come up with new ways every day. It would
be even harder to keep up with ways of hacking sites than it is for
antivirus manufacturers to keep ahead of virus makers.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173619 is a reply to message #173579] |
Wed, 20 April 2011 17:46 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:iojo5j$jpo$1(at)dont-email(dot)me...
On 4/19/2011 12:33 AM, P E Schoen wrote:
>> I realize that, but the authorized names and emails are hard coded in
>> the PHP script which is invoked from the HTML form using POST
>> variables. Of course, a hacker could figure that out and use his own
>> form to try to access the script for mass emailing or whatever, but he
>> would not get past the authentication without somehow knowing the
>> names and addresses, and then also the password.
> Which isn't that hard if you aren't using secure socket layer (https:...).
The only way I understand would be possible to do this is by listening to
the data over the network and identifying the CGI variables with that
information. I suppose that is possible if someone was using a public
network to access the PHP script. But I doubt that a hacker would want to
put in that much effort. The content is being used for public announcements
anyway, so the data is not sensitive.
>> The headers are pretty much hard-coded as well, except for including
>> the name and email address of the user in the subject. Since they both
>> must pass strict authentication, additional malevolent headers cannot
>> be injected there. Everything else is formatted in the body of the
>> message, which is passed through the purifier.
> But the subject and from headers are NOT being properly authenticated
> in the code you posted earlier.
The subject and from headers are as follows:
$subject = "Form data from {$in['Full_Name']}";
//This has been validated from a hard-coded list
$sender = "paul(at)example(dot)com";
$recipient= 'paul(at)example(dot)com' ;
mail( $recipient, $subject, $message, "From: $sender" );
I see that I have used my email address for both the sender and recipient.
I'm not really sure why I did that, but IIRC I was having problems and I
thought it was because the email was actually sent from my server's email
function and the sender had to match. So the subject is actually used to
indicate who had used the entry form.
> That's where you need to study and learn. It isn't that hard,
> but it does take some studying.
Yes, if this were a major part of what I do, then I'd have to do that. But I
have found that the people who submit activity listings do not even try to
make use of this, so I will probably just have to maintain the website
manually. It may be helpful to me to use this system, but otherwise it has
become mostly a learning experience, and that just in a small way. Most of
my time is spent on electronic engineering, PIC code, and Windows
application programming. And also checking out newsgroups such as this for
interesting discussions.
> Sure, you can hire someone to check your code - but you'll be
> much better off reading and learning on your own so you can
> write secure code.
> Coding publicly available websites isn't that hard - but it does
> take care to ensure they are secure.
> There are way too many ways a hacker can get in for a verifier to
> try to hack your site. And hackers come up with new ways every
> day. It would be even harder to keep up with ways of hacking
> sites than it is for antivirus manufacturers to keep ahead of
> virus makers.
I can see that, but maybe there are some common attack modes that could be
attempted to see how vulnerable a site may be. Even if it required human
interaction, at would be a valuable service that I would be willing to pay
for. It's difficult for a beginner with limited time and motivation to learn
all the methods of attack and the usual ways to reduce vulnerability.
Perhaps you could provide a link to the PHP code for a secure form mailing
application?
Thanks,
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173620 is a reply to message #173619] |
Wed, 20 April 2011 17:51 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:iojo5j$jpo$1(at)dont-email(dot)me...
>
> On 4/19/2011 12:33 AM, P E Schoen wrote:
>
>>> I realize that, but the authorized names and emails are hard coded in
>>> the PHP script which is invoked from the HTML form using POST
>>> variables. Of course, a hacker could figure that out and use his own
>>> form to try to access the script for mass emailing or whatever, but he
>>> would not get past the authentication without somehow knowing the
>>> names and addresses, and then also the password.
>
>> Which isn't that hard if you aren't using secure socket layer
>> (https:...).
>
> The only way I understand would be possible to do this is by listening
> to the data over the network and identifying the CGI variables with that
> information. I suppose that is possible if someone was using a public
> network to access the PHP script. But I doubt that a hacker would want
> to put in that much effort. The content is being used for public
> announcements anyway, so the data is not sensitive.
It is JUST possible if you are using weakly encrypted WiFi.
In practice, there are far easier ways to hack than trying to compromise
ISP and backbone routers.
|
|
|
|
| Re: My contact form is not emailed to me [message #173621 is a reply to message #173620] |
Wed, 20 April 2011 20:41 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"The Natural Philosopher" wrote in message
news:ion6ej$jhv$1(at)news(dot)albasani(dot)net...
> P E Schoen wrote:
>> The only way I understand would be possible to do this is by listening to
>> the data over the network and identifying the CGI variables with
>> that information. I suppose that is possible if someone was using a
>> public network to access the PHP script. But I doubt that a hacker
>> would want to put in that much effort. The content is being used for
>> public announcements anyway, so the data is not sensitive.
> It is JUST possible if you are using weakly encrypted WiFi.
> In practice, there are far easier ways to hack than trying to
> compromise ISP and backbone routers.
My WiFi is password protected so I'm not worried about that. But the user
may be at any place where internet access can be had, and the CGI variables
would be posted from there to my remote server. I don't think that will be a
problem. It may be more likely that someone would observe the user entering
the information and remember the keystrokes for the password. But I really
don't know all that much about TCP/IP and HTTP and networks in general.
Thanks,
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173622 is a reply to message #173619] |
Wed, 20 April 2011 20:55 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/20/2011 1:46 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:iojo5j$jpo$1(at)dont-email(dot)me...
>
> On 4/19/2011 12:33 AM, P E Schoen wrote:
>
>>> I realize that, but the authorized names and emails are hard coded in
>>> the PHP script which is invoked from the HTML form using POST
>>> variables. Of course, a hacker could figure that out and use his own
>>> form to try to access the script for mass emailing or whatever, but he
>>> would not get past the authentication without somehow knowing the
>>> names and addresses, and then also the password.
>
>> Which isn't that hard if you aren't using secure socket layer
>> (https:...).
>
> The only way I understand would be possible to do this is by listening
> to the data over the network and identifying the CGI variables with that
> information. I suppose that is possible if someone was using a public
> network to access the PHP script. But I doubt that a hacker would want
> to put in that much effort. The content is being used for public
> announcements anyway, so the data is not sensitive.
>
Which can be done a number of ways by a sniffer. You just have to be in
the right place.
For instance, it's not well publicized but in many residential locations
with cable, everyone in an neighborhood is on the same cable - and can
see each others traffic with the right software.
>>> The headers are pretty much hard-coded as well, except for including
>>> the name and email address of the user in the subject. Since they both
>>> must pass strict authentication, additional malevolent headers cannot
>>> be injected there. Everything else is formatted in the body of the
>>> message, which is passed through the purifier.
>
>> But the subject and from headers are NOT being properly authenticated
>> in the code you posted earlier.
>
> The subject and from headers are as follows:
>
> $subject = "Form data from {$in['Full_Name']}";
> //This has been validated from a hard-coded list
> $sender = "paul(at)example(dot)com";
> $recipient= 'paul(at)example(dot)com' ;
> mail( $recipient, $subject, $message, "From: $sender" );
>
> I see that I have used my email address for both the sender and
> recipient. I'm not really sure why I did that, but IIRC I was having
> problems and I thought it was because the email was actually sent from
> my server's email function and the sender had to match. So the subject
> is actually used to indicate who had used the entry form.
>
But your subject can still be a source of injection.
>> That's where you need to study and learn. It isn't that hard,
>> but it does take some studying.
>
> Yes, if this were a major part of what I do, then I'd have to do that.
> But I have found that the people who submit activity listings do not
> even try to make use of this, so I will probably just have to maintain
> the website manually. It may be helpful to me to use this system, but
> otherwise it has become mostly a learning experience, and that just in a
> small way. Most of my time is spent on electronic engineering, PIC code,
> and Windows application programming. And also checking out newsgroups
> such as this for interesting discussions.
>
There is no excuse for writing insecure code, especially when it's in
the internet. How will your client feel if their ip gets blacklisted -
and even worse, their host cancels their account? It does happen, and
it's serious.
>> Sure, you can hire someone to check your code - but you'll be
>> much better off reading and learning on your own so you can
>> write secure code.
>
>> Coding publicly available websites isn't that hard - but it does
>> take care to ensure they are secure.
>
>> There are way too many ways a hacker can get in for a verifier to
>> try to hack your site. And hackers come up with new ways every
>> day. It would be even harder to keep up with ways of hacking
>> sites than it is for antivirus manufacturers to keep ahead of
>> virus makers.
>
> I can see that, but maybe there are some common attack modes that could
> be attempted to see how vulnerable a site may be. Even if it required
> human interaction, at would be a valuable service that I would be
> willing to pay for. It's difficult for a beginner with limited time and
> motivation to learn all the methods of attack and the usual ways to
> reduce vulnerability.
>
An understanding of security concerns and care when programming will do
that much better than a verifier will.
> Perhaps you could provide a link to the PHP code for a secure form
> mailing application?
>
Sorry, I write my own. I don't use much packaged software.
> Thanks,
>
> Paul
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173623 is a reply to message #173621] |
Wed, 20 April 2011 20:59 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/20/2011 4:41 PM, P E Schoen wrote:
> "The Natural Philosopher" wrote in message
> news:ion6ej$jhv$1(at)news(dot)albasani(dot)net...
>
>> P E Schoen wrote:
>
>>> The only way I understand would be possible to do this is by
>>> listening to the data over the network and identifying the CGI
>>> variables with
>>> that information. I suppose that is possible if someone was using a
>>> public network to access the PHP script. But I doubt that a hacker
>>> would want to put in that much effort. The content is being used for
>>> public announcements anyway, so the data is not sensitive.
>
>> It is JUST possible if you are using weakly encrypted WiFi.
>
>> In practice, there are far easier ways to hack than trying to
>> compromise ISP and backbone routers.
>
> My WiFi is password protected so I'm not worried about that. But the
> user may be at any place where internet access can be had, and the CGI
> variables would be posted from there to my remote server. I don't think
> that will be a problem. It may be more likely that someone would observe
> the user entering the information and remember the keystrokes for the
> password. But I really don't know all that much about TCP/IP and HTTP
> and networks in general.
>
> Thanks,
>
> Paul
If you're using WEP, it's not very protected. That can be broken with a
laptop in less than a day.
And they don't have to know a lot - by just looking at the source code
for your page they can tell what's being sent - and get clues on how to
break it.
Insecure passwords is one of the easiest and most common ways to hack a
site - but trying to get users to create passwords is a lost cause.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173625 is a reply to message #173622] |
Wed, 20 April 2011 23:58 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ionh8d$qbc$1(at)dont-email(dot)me...
> On 4/20/2011 1:46 PM, P E Schoen wrote:
>> The only way I understand would be possible to do this is by listening
>> to the data over the network and identifying the CGI variables with
>> that information.
> Which can be done a number of ways by a sniffer. You just have to
> be in the right place.
> For instance, it's not well publicized but in many residential locations
> with cable, everyone in an neighborhood is on the same cable - and
> can see each others traffic with the right software.
I have FIOS and a WiFi router, but I have no control over what potential
users may have. However, I still don't think anyone would be that much
interested in hacking this site. And I would assume that the only damage
could be the use of the emailer for spam, but that seems very unlikely, and
I don't think it even can be done using my script.
>> The subject and from headers are as follows:
>
>> $subject = "Form data from {$in['Full_Name']}";
>> //This has been validated from a hard-coded list
>> $sender = "paul(at)example(dot)com";
>> $recipient= 'paul(at)example(dot)com' ;
>> mail( $recipient, $subject, $message, "From: $sender" );
> But your subject can still be a source of injection.
I cannot see how that is possible. The authorization code at the front end
requires the $in['Full_Name'] to be one of the authorized names hard-coded
in an array. If it contains anything else, the script dies. So I can't see
how anyone could inject anything malevolent.
> There is no excuse for writing insecure code, especially when it's
> in the internet. How will your client feel if their ip gets blacklisted -
> and even worse, their host cancels their account? It does happen,
> and it's serious.
My "client" is just a small group of volunteers who may want to post notices
of events to be available from the group's website. I am only using the
Sierra Club National site to have a placeholder HTML page which redirects to
the site I am hosting for them on my Dreamhost account. AFAIK, the email
function resides on the dreamhost, and any emails sent would be my
responsibility.
Also, AIUI, the potential users of the site will only receive the HTML form
on their local machine, and then the PHP script is accessed by means of
POST. The user will receive an echo which either shows "Authentication
Failed", or a formatted HTML page with the submitted information. The form
itself also has a button which will allow the user to see the results of the
EventProcessor script, which will have entered the information into a
database and then produced updated web pages for past and current events or
outings.
> An understanding of security concerns and care when programming
> will do that much better than a verifier will.
I understand a little more after reading
http://www.damonkohler.com/2008/12/email-injection.html, and I think my code
is secure against the attempts described there. If not, then I am missing
something and I would appreciate an example that would prove it to be unsafe
from attack.
>> Perhaps you could provide a link to the PHP code for a secure form
>> mailing application?
> Sorry, I write my own. I don't use much packaged software.
Then it would be very helpful for casual users and beginners if you could
provide at least some of the code you have created with a high level of
security. But I also realize that perhaps that would reveal clues to a
potential hacker. I would like to know more about vulnerabilities and safe
coding practices, but at this point I just don't know how my site could be
hacked unless someone gained access to authentication information, or was
able to obtain the password for my website and upload malicious code or
trash the files.
Thanks,
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173626 is a reply to message #173625] |
Thu, 21 April 2011 03:44 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/20/2011 7:58 PM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ionh8d$qbc$1(at)dont-email(dot)me...
>
>> On 4/20/2011 1:46 PM, P E Schoen wrote:
>
>>> The only way I understand would be possible to do this is by listening
>>> to the data over the network and identifying the CGI variables with
>>> that information.
>
>> Which can be done a number of ways by a sniffer. You just have to
>> be in the right place.
>
>> For instance, it's not well publicized but in many residential
>> locations with cable, everyone in an neighborhood is on the same cable
>> - and
>> can see each others traffic with the right software.
>
> I have FIOS and a WiFi router, but I have no control over what potential
> users may have. However, I still don't think anyone would be that much
> interested in hacking this site. And I would assume that the only damage
> could be the use of the emailer for spam, but that seems very unlikely,
> and I don't think it even can be done using my script.
>
Famous last words by people who's sites got hacked.
>>> The subject and from headers are as follows:
>>
>>> $subject = "Form data from {$in['Full_Name']}";
>>> //This has been validated from a hard-coded list
>>> $sender = "paul(at)example(dot)com";
>>> $recipient= 'paul(at)example(dot)com' ;
>>> mail( $recipient, $subject, $message, "From: $sender" );
>
>> But your subject can still be a source of injection.
>
> I cannot see how that is possible. The authorization code at the front
> end requires the $in['Full_Name'] to be one of the authorized names
> hard-coded in an array. If it contains anything else, the script dies.
> So I can't see how anyone could inject anything malevolent.
>
Subject does not require an "authorized name". It an easily be used for
injection.
>> There is no excuse for writing insecure code, especially when it's
>> in the internet. How will your client feel if their ip gets
>> blacklisted - and even worse, their host cancels their account? It
>> does happen,
>> and it's serious.
>
> My "client" is just a small group of volunteers who may want to post
> notices of events to be available from the group's website. I am only
> using the Sierra Club National site to have a placeholder HTML page
> which redirects to the site I am hosting for them on my Dreamhost
> account. AFAIK, the email function resides on the dreamhost, and any
> emails sent would be my responsibility.
>
Which makes no difference. Hackers often look for sites like yours they
can use to spread their spam - because they are typically the least
secure due to attitudes like yours.
> Also, AIUI, the potential users of the site will only receive the HTML
> form on their local machine, and then the PHP script is accessed by
> means of POST. The user will receive an echo which either shows
> "Authentication Failed", or a formatted HTML page with the submitted
> information. The form itself also has a button which will allow the user
> to see the results of the EventProcessor script, which will have entered
> the information into a database and then produced updated web pages for
> past and current events or outings.
>
Not a problem for hackers - who use scripts to do all kinds of things.
>> An understanding of security concerns and care when programming
>> will do that much better than a verifier will.
>
> I understand a little more after reading
> http://www.damonkohler.com/2008/12/email-injection.html, and I think my
> code is secure against the attempts described there. If not, then I am
> missing something and I would appreciate an example that would prove it
> to be unsafe from attack.
>
As I said - your subject line is still open to hacking.
>>> Perhaps you could provide a link to the PHP code for a secure form
>>> mailing application?
>
>> Sorry, I write my own. I don't use much packaged software.
>
> Then it would be very helpful for casual users and beginners if you
> could provide at least some of the code you have created with a high
> level of security. But I also realize that perhaps that would reveal
> clues to a potential hacker. I would like to know more about
> vulnerabilities and safe coding practices, but at this point I just
> don't know how my site could be hacked unless someone gained access to
> authentication information, or was able to obtain the password for my
> website and upload malicious code or trash the files.
>
Others have tried to point you in the right direction, but you seem to
be uninterested in learning the necessary skills to create a secure website.
And it really isn't that hard for hackers to guess userids and passwords
- even easier if they can intercept your non-secure logins.
> Thanks,
>
> Paul
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173629 is a reply to message #173626] |
Thu, 21 April 2011 08:04 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ioo965$qfj$1(at)dont-email(dot)me...
> Subject does not require an "authorized name". It an easily be
> used for injection.
Here is how I perform the authentication of the name and email, and the
password:
if ( !array_key_exists( strtolower( $in['Full_Name'] ), $Passcodes ) )
{ HTMLdie("Incorrect Full Name " . htmlspecialchars($in['Full_Name']),
"Authentication failed\n"); }
if ( !($Passcodes[ strtolower( $in['Full_Name'] ) ] ==
(strtolower($in['Email']) ) ) )
{ HTMLdie("Incorrect Email " . $in['Email'], "Authentication
failed\n");}
if ( !($in['Reference'] == "My Secret Password") ){
HTMLdie("Incorrect Entry", "Authentication failed\n"); }
> Hackers often look for sites like yours they can use to spread their
> spam - because they are typically the least secure due to attitudes
> like yours.
What attitude? I'm just asking specifically how my site is not (at least
reasonably) secure.
> As I said - your subject line is still open to hacking.
I understand that may be the case if the user is permitted to enter anything
for the subject line. But that is not the case. My subject line is formed as
follows:
$subject = "Form data from {$in['Full_Name']}";
I really don't see how anything malicious can be added to that. The
$in['Full_Name'] variable has been authenticated, and it cannot be anything
other than the hard coded keys of the $Passcodes array. I'm trying to
understand this, and if you could explain how this can be hacked it will be
very helpful to me and possibly others. Otherwise I think you are just
making some general assumptions or trying to scare me and other beginners
away from writing PHP scripts, and possibly paying for your services or
those of other professionals.
> Others have tried to point you in the right direction, but you seem
> to be uninterested in learning the necessary skills to create a
> secure website.
I am trying to learn those techniques, but without an explanation for how my
script can be hacked, I don't know how to proceed.
> And it really isn't that hard for hackers to guess userids and
> passwords - even easier if they can intercept your non-secure
> logins.
That may be, but in that case the hacker would only be able to send emails
to me with garbage or malicious content in the body, and that will have been
"purified" to acceptable HTML, so I doubt that it will contain anything
truly dangerous. However, I suppose I should enforce a limit to the size of
the content.
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173630 is a reply to message #173626] |
Thu, 21 April 2011 08:31 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ioo965$qfj$1(at)dont-email(dot)me...
> Others have tried to point you in the right direction, but you seem
> to be uninterested in learning the necessary skills to create a
> secure website.
OK, I searched for a secure PHP mailer and this appears to be one, but
there's no way I can evaluate a script with almost 2000 lines of code and
comments, and I don't know enough to do so anyway. This is a general purpose
script with many customization options, and I think the security part is
only a couple hundred lines. Perhaps it would be useful to analyze this
script to see if it is truly secure, and if not, where the vulnerabilities
are:
http://www.dagondesign.com/articles/secure-php-form-mailer-script/
Thanks,
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173631 is a reply to message #173629] |
Thu, 21 April 2011 10:29 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/21/2011 4:04 AM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioo965$qfj$1(at)dont-email(dot)me...
>
>> Subject does not require an "authorized name". It an easily be
>> used for injection.
>
> Here is how I perform the authentication of the name and email, and the
> password:
>
> if ( !array_key_exists( strtolower( $in['Full_Name'] ), $Passcodes ) )
> { HTMLdie("Incorrect Full Name " . htmlspecialchars($in['Full_Name']),
> "Authentication failed\n"); }
> if ( !($Passcodes[ strtolower( $in['Full_Name'] ) ] ==
> (strtolower($in['Email']) ) ) )
> { HTMLdie("Incorrect Email " . $in['Email'], "Authentication failed\n");}
> if ( !($in['Reference'] == "My Secret Password") ){
> HTMLdie("Incorrect Entry", "Authentication failed\n"); }
>
>> Hackers often look for sites like yours they can use to spread their
>> spam - because they are typically the least secure due to attitudes
>> like yours.
>
> What attitude? I'm just asking specifically how my site is not (at least
> reasonably) secure.
>
>> As I said - your subject line is still open to hacking.
>
> I understand that may be the case if the user is permitted to enter
> anything for the subject line. But that is not the case. My subject line
> is formed as follows:
>
> $subject = "Form data from {$in['Full_Name']}";
>
So you're saying your subject can only be one of a few names from a
list? What if I want to send an email with the subject "Party for Jean
on Friday"? So they can't easily find the email in their list of saved
emails?
It would mean your subject line can't be hacked - but how
user-unfriendly can you get?
> I really don't see how anything malicious can be added to that. The
> $in['Full_Name'] variable has been authenticated, and it cannot be
> anything other than the hard coded keys of the $Passcodes array. I'm
> trying to understand this, and if you could explain how this can be
> hacked it will be very helpful to me and possibly others. Otherwise I
> think you are just making some general assumptions or trying to scare me
> and other beginners away from writing PHP scripts, and possibly paying
> for your services or those of other professionals.
>
>> Others have tried to point you in the right direction, but you seem
>> to be uninterested in learning the necessary skills to create a
>> secure website.
>
> I am trying to learn those techniques, but without an explanation for
> how my script can be hacked, I don't know how to proceed.
>
I and others have tried to steer you the right direction, but rather
than try to learn and understand, you just argue and make excuses ("it's
a small site", "only a few people will use it", etc.).
>> And it really isn't that hard for hackers to guess userids and
>> passwords - even easier if they can intercept your non-secure
>> logins.
>
> That may be, but in that case the hacker would only be able to send
> emails to me with garbage or malicious content in the body, and that
> will have been "purified" to acceptable HTML, so I doubt that it will
> contain anything truly dangerous. However, I suppose I should enforce a
> limit to the size of the content.
>
> Paul
Whatever.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173632 is a reply to message #173630] |
Thu, 21 April 2011 10:32 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/21/2011 4:31 AM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioo965$qfj$1(at)dont-email(dot)me...
>
>> Others have tried to point you in the right direction, but you seem
>> to be uninterested in learning the necessary skills to create a
>> secure website.
>
> OK, I searched for a secure PHP mailer and this appears to be one, but
> there's no way I can evaluate a script with almost 2000 lines of code
> and comments, and I don't know enough to do so anyway. This is a general
> purpose script with many customization options, and I think the security
> part is only a couple hundred lines. Perhaps it would be useful to
> analyze this script to see if it is truly secure, and if not, where the
> vulnerabilities are:
>
> http://www.dagondesign.com/articles/secure-php-form-mailer-script/
>
> Thanks,
>
> Paul
If you want someone to analyze a script and tell you if it's really
secure, I would suggest you get out your checkbook. People aren't going
to do it for you for free.
I and others have tried to help you here, but it's a waste of time.
I've got better things to so. Good luck.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
|
|
| Re: My contact form is not emailed to me [message #173637 is a reply to message #173633] |
Thu, 21 April 2011 17:42 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"crankypuss" wrote in message
news:p810r6d6kaa5b6mhqo98f8d53qgno7neh9(at)4ax(dot)com...
> "P E Schoen" <paul(at)pstech-inc(dot)com> wrote:
>> I still don't think anyone would be that much
>> interested in hacking this site.
> There are people out there who will swerve to run over a cat just
> because they can, why spend any more time in the middle of the
> road than you have to?
I agree, but most of this thread became an argument with Jerry based on his
false assumptions, and now he agrees that the site does not have the
vulnerability he asserted. This is a special purpose script, functioning
only to allow a few people to add content to a database, and the email is
only a notification to me that someone has done so. As such, the subject
line consists only of hard coded text and a fully authenticated name. Jerry
may say that it is user-unfriendly, but not for the purpose intended.
Certainly I have a lot to learn about security and hacking, but given the
knowledge of what kinds of attacks are possible, I still believe my site to
be just about as secure as is reasonable. If the data were sensitive, or if
hacking could allow someone to use it as a spam portal, then I would
certainly use more elaborate means to assure security.
Along with the general purpose free PHP script for a secure form mailer
http://www.dagondesign.com/articles/secure-php-form-mailer-script/, I also
found this form mail script which uses encryption and has a seven year
history of security, for $99. http://www.tectite.com/formmailpage.php
There is also the issue of what is "reasonable" security. If I wanted to
feel totally safe, I could lock myself in my house, and when I went out I
could wear full body armor, lead shielding, and a gas mask, or I could hire
a bodyguard. But unless the environment were far more dangerous than it is,
taking all these precautions would be overkill and diminish my ability to
enjoy life. The internet is a dangerous place, but for the most part there
are safe and inexpensive ways to protect against threats without extreme
limitation of its use and enjoyment.
I have learned a lot from this discussion, and I appreciate the helpful
responses.
Paul
|
|
|
|
|
|
| Re: My contact form is not emailed to me [message #173640 is a reply to message #173637] |
Fri, 22 April 2011 00:04 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/21/2011 1:42 PM, P E Schoen wrote:
> "crankypuss" wrote in message
> news:p810r6d6kaa5b6mhqo98f8d53qgno7neh9(at)4ax(dot)com...
>
>> "P E Schoen" <paul(at)pstech-inc(dot)com> wrote:
>
>>> I still don't think anyone would be that much
>>> interested in hacking this site.
>
>> There are people out there who will swerve to run over a cat just
>> because they can, why spend any more time in the middle of the
>> road than you have to?
>
> I agree, but most of this thread became an argument with Jerry based on
> his false assumptions, and now he agrees that the site does not have the
> vulnerability he asserted. This is a special purpose script, functioning
> only to allow a few people to add content to a database, and the email
> is only a notification to me that someone has done so. As such, the
> subject line consists only of hard coded text and a fully authenticated
> name. Jerry may say that it is user-unfriendly, but not for the purpose
> intended.
>
> Certainly I have a lot to learn about security and hacking, but given
> the knowledge of what kinds of attacks are possible, I still believe my
> site to be just about as secure as is reasonable. If the data were
> sensitive, or if hacking could allow someone to use it as a spam portal,
> then I would certainly use more elaborate means to assure security.
>
> Along with the general purpose free PHP script for a secure form mailer
> http://www.dagondesign.com/articles/secure-php-form-mailer-script/, I
> also found this form mail script which uses encryption and has a seven
> year history of security, for $99. http://www.tectite.com/formmailpage.php
>
> There is also the issue of what is "reasonable" security. If I wanted to
> feel totally safe, I could lock myself in my house, and when I went out
> I could wear full body armor, lead shielding, and a gas mask, or I could
> hire a bodyguard. But unless the environment were far more dangerous
> than it is, taking all these precautions would be overkill and diminish
> my ability to enjoy life. The internet is a dangerous place, but for the
> most part there are safe and inexpensive ways to protect against threats
> without extreme limitation of its use and enjoyment.
>
> I have learned a lot from this discussion, and I appreciate the helpful
> responses.
>
> Paul
No, it's all about using fields *properly*. There is a field made for
who the message comes from - it is the From: field.
The Subject: field is for just that - the subject of the message.
Seeing someone use it as a From: field shows the person has no idea what
he is doing - which is the case here.
Fortunately, most clients can recognize an incompetent programmer, and
find someone who can do the job *right*. It takes longer for some then
others, but most figure it out, eventually.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173642 is a reply to message #173640] |
Fri, 22 April 2011 04:45 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ioqgme$js$3(at)dont-email(dot)me...
> No, it's all about using fields *properly*. There is a field made
> for who the message comes from - it is the From: field.
> The Subject: field is for just that - the subject of the message.
> Seeing someone use it as a From: field shows the person has no
> idea what he is doing - which is the case here.
Well, "thinking outside the box", I would assert that this email is actually
being sent "from" my EventProcessor script, since it is only a confirmation
to me that someone has used the application and entered specific information
as outlined in the HTML form. I would also suggest that, in this case, the
subject is appropriate, telling me that a specific person has submitted the
form data which is detailed and formatted in the email body.
> Fortunately, most clients can recognize an incompetent programmer,
> and find someone who can do the job *right*. It takes longer for
> some then others, but most figure it out, eventually.
If they have any complaints they are more than welcome to hire someone else
and unload this additional work. I volunteered to be the webmaster when the
previous one was unable to continue, and there had been some complaints
about his inability to update the content in a timely manner. Also, the
website was not visually appealing and the home page had a lot of outdated
and superfluous material. From June 2010:
http://maryland.sierraclub.org/baltimore/indexold.html
I have kept the same format for now, and I added a hit counter and links to
the event submission form and other things I have been trying:
http://maryland.sierraclub.org/baltimore/
Many of our members said they liked the form and function of this site:
http://maryland.sierraclub.org/montgomery/
However, it is rather complex and difficult for me to maintain, and some of
the material is copyrighted, so I may have to create a simplified version.
This was an early attempt to clone a previous version of their website:
http://www.pauleschoen.com/SCGBG/
Actually, I preferred the website design of some other MD groups, such as
http://maryland.sierraclub.org/catoctin/. It is also similar to others, and
seems to be derived from the MD chapter site:
http://maryland.sierraclub.org/
The reason for the event submission form and all my efforts to implement it
(first in Perl and then PHP) was to allow event leaders to submit material
without my involvement. But people seemed to be unable or unwilling to use
this, so we are still having people email content to me and I just convert
it to HTML. And sometimes it takes a while for me to get "a round tuit",
which means that some events have already passed by the time I update the
site. Now some of the event leaders are using
http://www.meetup.com/baltimoresierraclub/, and also facebook. Maybe that's
the way to go. Our website has been getting only 10 hits a day and most of
them are bots or other indirect accesses rather than actual people.
Maybe a better option is to do as we have done for another group:
www.baltimoregreenforum.org. The login information has been shared with the
dozen or so members of the planning committee so each of us can modify the
content. I think that is a high security risk, but it was done by the
forum's founder, so as webmaster I don't have any special privileges.
And as Paul Harvey might say, "and that is the rest of the story."
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173646 is a reply to message #173642] |
Fri, 22 April 2011 10:07 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioqgme$js$3(at)dont-email(dot)me...
>
>> Fortunately, most clients can recognize an incompetent programmer,
>> and find someone who can do the job *right*. It takes longer for
>> some then others, but most figure it out, eventually.
>
Guess why Jerry has so much time on his hands....he has actually made a
true statement there..
|
|
|
|
| Re: My contact form is not emailed to me [message #173648 is a reply to message #173642] |
Fri, 22 April 2011 11:07 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 4/22/2011 12:45 AM, P E Schoen wrote:
> "Jerry Stuckle" wrote in message news:ioqgme$js$3(at)dont-email(dot)me...
>
>> No, it's all about using fields *properly*. There is a field made
>> for who the message comes from - it is the From: field.
>
>> The Subject: field is for just that - the subject of the message.
>
>> Seeing someone use it as a From: field shows the person has no
>> idea what he is doing - which is the case here.
>
> Well, "thinking outside the box", I would assert that this email is
> actually being sent "from" my EventProcessor script, since it is only a
> confirmation to me that someone has used the application and entered
> specific information as outlined in the HTML form. I would also suggest
> that, in this case, the subject is appropriate, telling me that a
> specific person has submitted the form data which is detailed and
> formatted in the email body.
>
The appropriate field for whom it is from is the From: field. THAT
PERSON is the one send it - not your event processor script. It really
makes no difference whether they 're doing it from your script or their
own system.
And I can just the poor person on the other end trying to find the
"Party for Jean on Friday" message in a few hundred saved messages, all
of them with the subject 'From: Tom Smith".
>> Fortunately, most clients can recognize an incompetent programmer,
>> and find someone who can do the job *right*. It takes longer for
>> some then others, but most figure it out, eventually.
>
> If they have any complaints they are more than welcome to hire someone
> else and unload this additional work. I volunteered to be the webmaster
> when the previous one was unable to continue, and there had been some
> complaints about his inability to update the content in a timely manner.
> Also, the website was not visually appealing and the home page had a lot
> of outdated and superfluous material. From June 2010:
> http://maryland.sierraclub.org/baltimore/indexold.html
>
It's OK- not great, but OK.
> I have kept the same format for now, and I added a hit counter and links
> to the event submission form and other things I have been trying:
> http://maryland.sierraclub.org/baltimore/
>
Hit counter - another sign of a hack "webmaster". You can tell them
every time.
<snip>
> Now some of the event leaders are using
> http://www.meetup.com/baltimoresierraclub/, and also facebook. Maybe
> that's the way to go. Our website has been getting only 10 hits a day
> and most of them are bots or other indirect accesses rather than actual
> people.
>
<snip>
A competent webmaster can solve a lot of problems.
> Paul
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: My contact form is not emailed to me [message #173649 is a reply to message #173640] |
Fri, 22 April 2011 13:23 |
Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Thu, 21 Apr 2011 20:04:29 -0400, Jerry Stuckle wrote:
> Fortunately, most clients can recognize an incompetent programmer, and
> find someone who can do the job *right*. It takes longer for some then
> others, but most figure it out, eventually.
*chuckle* It'd be nice if it didn't take so long. We'd have a lot less
time for USENET.
--
10. I will not interrogate my enemies in the inner sanctum -- a small
hotel well outside my borders will work just as well.
--Peter Anspach's list of things to do as an Evil Overlord
|
|
|
|
| Re: My contact form is not emailed to me [message #173650 is a reply to message #173648] |
Fri, 22 April 2011 19:28 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
"Jerry Stuckle" wrote in message news:iornhj$uhi$1(at)dont-email(dot)me...
> The appropriate field for whom it is from is the From: field. THAT PERSON
> is the one send it - not your event processor script. It
> really makes no difference whether they 're doing it from your
> script or their own system.
> And I can just the poor person on the other end trying to find the "Party
> for Jean on Friday" message in a few hundred saved messages,
> all of them with the subject 'From: Tom Smith".
Well, that would be me, and I would rather have the automated replies
grouped together by subject so I can just sort in that criterion. I just did
so and it shows all of them. And since January 1 there is a grand total of
32 messages, of which by far most were sent by me for testing. In fact, I
think only one was actually entered by an event sponsor, and that was
January 15.
As I've tried to explain, the purpose of this script is not an emailer for
others to use, but rather only a notification to me that someone has
accessed the script and posted information to the website. I want this to be
totally separate from regular emails from those who may use it. I get many
more such emails than those produced by the script.
>> http://maryland.sierraclub.org/baltimore/indexold.html
> It's OK- not great, but OK.
That website was an example of what other members had complained about.
Actually, there were older versions that had, on the main page, a long list
of previous meetings and summaries of the minutes, which was essentially
only useful as an archive. I think the only reason you said this was "OK",
was that it was at that time maintained by someone other than myself. I am
sure he is more skilled than I am, but people would rather deal with someone
of my skill level who can usually update content in a few days, rather than
two months as was previously the norm.
>> http://maryland.sierraclub.org/baltimore/
> Hit counter - another sign of a hack "webmaster". You can tell
> them every time.
Before I added the hit counter, we had no idea how much traffic the website
was getting. There are more accurate and detailed methods, but the simple
hit counter at least gave us some information, and it mostly showed that the
website was very rarely used. AFAIK the hit counter gives an inflated number
(10/day), and upon examination of the logs, I could see that the actual
human hits numbered only a handful per day.
I found the logs for the MD chapter on the Sierra Club server, but they are
over 100 MB per month. I know there are ways to extract the pertinent
information, but I don't think it is really worth the effort.
> A competent webmaster can solve a lot of problems.
Except encouraging our members, and the appropriate segment of the public,
to actually use the website. We have a few thousand members in the Greater
Baltimore Group, but we typically only see or hear from perhaps 1% of that
number. Many of our members, even those on the executive committee and event
leaders, do not have or do not use the internet or email, and many of those
who do are computer-phobic. So we could hire the greatest webmaster in the
world, or even you, and the website could be beautifully constructed, but I
doubt that would increase legitimate use.
I don't want to keep arguing, especially when your replies still seem to be
based on erroneous assumptions and perhaps an ad hominem attitude toward me
(and other newbies). I'm here to learn, and not to reject helpful advice.
But when I determine that the advice being given is not really correct in my
specific case, then I feel that I must clarify my intentions and reasons for
doing things in a certain way. I hope this clears up the misconceptions and
we can move on to other topics. I am satisfied that what I am doing is
secure enough and fulfills the needs of our group's website.
Thanks,
Paul
|
|
|
|
| Re: My contact form is not emailed to me [message #173652 is a reply to message #173650] |
Sat, 23 April 2011 08:32 |
P E Schoen
Messages: 86
Registered: January 2011
Karma: 0
|
Member |
|
|
I just tried a couple of things with my notification script, with
interesting results. First, I changed the "From" header to "Event Processor
used by $Sender", where $sender was guest(at)example(dot)com, and the email I
received showed in the "From" field:
Event Processor used by guest(at)example(dot)com
Then I tried using just "Event Processor" as the "From" header, and I used
for the Subject line: "Form Data from {$in['Full_Name]} ({$in['Email'])}",
and the email I received showed in the "From" field:
paul_@_peschoen.com (underscores added)
Finally I used $in['Email'] for "From", and the email I received showed in
the "From" field:
guest(at)example(dot)com
Apparently the mailer checks for a somewhat valid email address and uses a
default if it rejects it.
Paul
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]