| Re: My contact form is not emailed to me [message #173629 is a reply to message #173626] |
Thu, 21 April 2011 08:04   |
P E Schoen
Messages: 86
Registered: January 2011
Karma:
|
Member |
|
|
"Jerry Stuckle" wrote in message news:ioo965$qfj$1(at)dont-email(dot)me...
> Subject does not require an "authorized name". It an easily be
> used for injection.
Here is how I perform the authentication of the name and email, and the
password:
if ( !array_key_exists( strtolower( $in['Full_Name'] ), $Passcodes ) )
{ HTMLdie("Incorrect Full Name " . htmlspecialchars($in['Full_Name']),
"Authentication failed\n"); }
if ( !($Passcodes[ strtolower( $in['Full_Name'] ) ] ==
(strtolower($in['Email']) ) ) )
{ HTMLdie("Incorrect Email " . $in['Email'], "Authentication
failed\n");}
if ( !($in['Reference'] == "My Secret Password") ){
HTMLdie("Incorrect Entry", "Authentication failed\n"); }
> Hackers often look for sites like yours they can use to spread their
> spam - because they are typically the least secure due to attitudes
> like yours.
What attitude? I'm just asking specifically how my site is not (at least
reasonably) secure.
> As I said - your subject line is still open to hacking.
I understand that may be the case if the user is permitted to enter anything
for the subject line. But that is not the case. My subject line is formed as
follows:
$subject = "Form data from {$in['Full_Name']}";
I really don't see how anything malicious can be added to that. The
$in['Full_Name'] variable has been authenticated, and it cannot be anything
other than the hard coded keys of the $Passcodes array. I'm trying to
understand this, and if you could explain how this can be hacked it will be
very helpful to me and possibly others. Otherwise I think you are just
making some general assumptions or trying to scare me and other beginners
away from writing PHP scripts, and possibly paying for your services or
those of other professionals.
> Others have tried to point you in the right direction, but you seem
> to be uninterested in learning the necessary skills to create a
> secure website.
I am trying to learn those techniques, but without an explanation for how my
script can be hacked, I don't know how to proceed.
> And it really isn't that hard for hackers to guess userids and
> passwords - even easier if they can intercept your non-secure
> logins.
That may be, but in that case the hacker would only be able to send emails
to me with garbage or malicious content in the body, and that will have been
"purified" to acceptable HTML, so I doubt that it will contain anything
truly dangerous. However, I suppose I should enforce a limit to the size of
the content.
Paul
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]