PHP script Help Needed

I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.

1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. foo@bar.com) and contain one and only
one address each.

2) The message contains text only. No attachments allowed.

I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated

Thanks
DB

Ima Lozer wrote:

Quote:

I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.
>
1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. foo@bar.com) and contain one and only
one address each.
>
2) The message contains text only. No attachments allowed.
>
>
I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated
>
>
Thanks
DB

I find that phpmailer can be easily modified to do the actual sending -
you may need to configure SSL/TSL authenticated SMTP to your ISP
outbound servers (unless you have full control over your ReverseDNS and
your own SMTP server - in other words - if you do not fully own and
control the IP address(es). If you do use DynamicDNS you will be
blacklisted anyway. It seems to me to unfair, but fighting that is a
losing proposition.

You will want to take a look at some sort of Captcha to ensure only
humans are interacting with your site. (ie. "enter at this funky-looking
picture of this word and type in the word here...")

In article <xYNgk.16869$89.9380@nlpi069.nbdc.sbc.com>,
maustin@firstdbasource.com says...

Quote:

Ima Lozer wrote:

Quote:

I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.

1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. foo@bar.com) and contain one and only
one address each.

2) The message contains text only. No attachments allowed.

I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated

Thanks
DB

>
>
I find that phpmailer can be easily modified to do the actual sending -
you may need to configure SSL/TSL authenticated SMTP to your ISP
outbound servers (unless you have full control over your ReverseDNS and
your own SMTP server - in other words - if you do not fully own and
control the IP address(es). If you do use DynamicDNS you will be
blacklisted anyway. It seems to me to unfair, but fighting that is a
losing proposition.
>
You will want to take a look at some sort of Captcha to ensure only
humans are interacting with your site. (ie. "enter at this funky-looking
picture of this word and type in the word here...")
>

Thanks. I alrady have the script 100% functional. That is not the
issue. What I want to do is tighten it up for security. I need to test
the TO and FROM email addresses to ensure that the entry is a singular
validly formatted email address, and I wand to make sure that no black
hat uses the MESSAGE field to upliad anything that can harm the
recipient's system or my server. I'll look at phpmailer to see if it
has this type of code in it.

Ima Lozer wrote:

Quote:

In article <xYNgk.16869$89.9380@nlpi069.nbdc.sbc.com>,
maustin@firstdbasource.com says...

Quote:

>Ima Lozer wrote:

Quote:

>>I am in the process of writing an app for one of my sites that will
>>allow guests to send e-cards to other folks. The process is fairly
>>simple. First the sender selects a card graphic via a series of radio
>>buttons. Then he enters his and the recipient's name and email address.
>>Next he enters a message to the sender and clicks a button to send the
>>card. What I need help with is code to test the input in all appropriate
>>fields to ensure that no oen uses the script for black hat purposes. In
>>addition to anything else that may be an issue I'd like to address the
>>following.
>>>
>>1) Ensure that the email addresses values entered (recipient and sender)
>>are both validly formatted (e.g. foo@bar.com) and contain one and only
>>one address each.
>>>
>>2) The message contains text only. No attachments allowed.
>>>
>>>
>>I'm basically looking for ways to block the black hats from using this
>>for spam or spreading any malware. Direct assistance with this or being
>>pointed to a reference that addresses the subject would be appreciated
>>>
>>>
>>Thanks
>>DB

>>
>I find that phpmailer can be easily modified to do the actual sending -
>you may need to configure SSL/TSL authenticated SMTP to your ISP
>outbound servers (unless you have full control over your ReverseDNS and
>your own SMTP server - in other words - if you do not fully own and
>control the IP address(es). If you do use DynamicDNS you will be
>blacklisted anyway. It seems to me to unfair, but fighting that is a
>losing proposition.
>>
>You will want to take a look at some sort of Captcha to ensure only
>humans are interacting with your site. (ie. "enter at this funky-looking
>picture of this word and type in the word here...")
>>

>
>
Thanks. I alrady have the script 100% functional. That is not the
issue. What I want to do is tighten it up for security. I need to test
the TO and FROM email addresses to ensure that the entry is a singular
validly formatted email address, and I wand to make sure that no black
hat uses the MESSAGE field to upliad anything that can harm the
recipient's system or my server. I'll look at phpmailer to see if it
has this type of code in it.
>

The simplest way is to check for nl and cr characters ("\n" and "\r") in
the from, and subject fields. If there are any, send it back.

It works because each entry (i.e. To:, CC:, BCC:, etc.) needs to be on a
separate line.

Not perfectly foolproof, but it catches virtually all of the spammers.
It only leaves the to: field - which you should control in your script,
not from the form (i.e. use an id in the form and pull the actual email
address from a file/database/array/whatever).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On Jul 21, 1:38 am, Jerry Stuckle <jstuck...@attglobal.netwrote:

Quote:

Ima Lozer wrote:

Quote:

In article <xYNgk.16869$89.9...@nlpi069.nbdc.sbc.com>,
maus...@firstdbasource.com says...

Quote:

Ima Lozer wrote:
>I am in the process of writing an app for one of my sites that will
>allow guests to send e-cards to other folks. The process is fairly
>simple. First the sender selects a card graphic via a series of radio
>buttons. Then he enters his and the recipient's name and email address.
>Next he enters a message to the sender and clicks a button to send the
>card. What I need help with is code to test the input in all appropriate
>fields to ensure that no oen uses the script for black hat purposes. In
>addition to anything else that may be an issue I'd like to address the
>following.

>

Quote:

>1) Ensure that the email addresses values entered (recipient and sender)
>are both validly formatted (e.g. f...@bar.com) and contain one and only
>one address each.

>

Quote:

>2) The message contains text only. No attachments allowed.

>

Quote:

>I'm basically looking for ways to block the black hats from using this
>for spam or spreading any malware. Direct assistance with this or being
>pointed to a reference that addresses the subject would be appreciated

>

Quote:

>Thanks
>DB

>

Quote:

I find that phpmailer can be easily modified to do the actual sending -
you may need to configure SSL/TSL authenticated SMTP to your ISP
outbound servers (unless you have full control over your ReverseDNS and
your own SMTP server - in other words - if you do not fully own and
control the IP address(es). If you do use DynamicDNS you will be
blacklisted anyway. It seems to me to unfair, but fighting that is a
losing proposition.

>

Quote:

You will want to take a look at some sort of Captcha to ensure only
humans are interacting with your site. (ie. "enter at this funky-looking
picture of this word and type in the word here...")

>

Quote:

Thanks. I alrady have the script 100% functional. That is not the
issue. What I want to do is tighten it up for security. I need to test
the TO and FROM email addresses to ensure that the entry is a singular
validly formatted email address, and I wand to make sure that no black
hat uses the MESSAGE field to upliad anything that can harm the
recipient's system or my server. I'll look at phpmailer to see if it
has this type of code in it.

>
The simplest way is to check for nl and cr characters ("\n" and "\r") in
the from, and subject fields. If there are any, send it back.
>
It works because each entry (i.e. To:, CC:, BCC:, etc.) needs to be on a
separate line.
>
Not perfectly foolproof, but it catches virtually all of the spammers.
It only leaves the to: field - which you should control in your script,
not from the form (i.e. use an id in the form and pull the actual email
address from a file/database/array/whatever).
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

You really, really must check that the requester's address is valid
and receiving mail - when a user requests requests a message to be
sent put it in a holding a queue then send back a message to the
requester with a URL which will release the ecard.

I don't even want to conjecture about how this could be abused
otherwise.

It won't stop people using throwaway addresses, but at least this
covers your responsibilities regarding due diligence.

C.

PHP script Help Needed

re: PHP script Help Needed

re: PHP script Help Needed

re: PHP script Help Needed

re: PHP script Help Needed

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about