Re: My contact form is not emailed to me [message #173565 is a reply to message #173520] |
Tue, 19 April 2011 02:30 |
P E Schoen
Messages: 86 Registered: January 2011
Karma:
|
Member |
|
|
"Jerry Stuckle" wrote in message news:iofj5t$7gi$1(at)dont-email(dot)me...
> On 4/17/2011 3:58 PM, MG wrote:
>> This one is worth reading
>> http://www.damonkohler.com/2008/12/email-injection.html
> Some good descriptions on how it can happen. But one needs to
> read the comments at the end, also - there are several problems
> with his proposed solutions.
I found the article very interesting. As a "casual" newbie user of PHP I
don't fully understand all the issues, but I can see that it can be a real
problem if a hacker really wants to make trouble. My application requires a
user to provide a name and email address from a hard-coded list, and also a
password, before data can be entered. If that is successful, I set a file
lock which blocks any subsequent attempts to access the script, and I add a
deliberate 5 or 10 second delay before completing the processing and
releasing the file lock.
I also run the user input through a filter: http://htmlpurifier.org/ which
seems to work pretty well. I suppose nothing is totally secure, but this is
designed for only a small group of trusted members, and is not really used
very much. In fact, the only ones to have used it over the last several
months have been myself (for testing), and one or two members as they were
learning how to use it.
Paul
|
|
|