One of the first rules of doing web development is to never trust user
input.
So, my question is how this may affect the usage of the mail() function
within PHP.
Obviously, one can (fairly easily) verify that what one is passing in
the TO parameter is a valid e-mail address.
What is recommended with respect to the subject & message parameters?
One potentially good function to run them through is strip_tags.
5  1420 
Eric <eg******@veriz on.net> wrote: Obviously, one can (fairly easily) verify that what one is passing in
the TO parameter is a valid e-mail address.
_A_ valid email address, but is _the_ correct address?
What is recommended with respect to the subject & message parameters?
So you let a mail script accept the to, subject and message body? You
just described described a spam relay.
If you are using this for a feedback form this is not the way to go, to
and subject should be fixed. The body shouldn't be send to the user
entering the data, you a plain confirmation that the message was
received.
One potentially good function to run them through is strip_tags.
What would that accomplish? A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).
Daniel Tryba <pa**********@i nvalid.tryba.nl > wrote: One potentially good function to run them through is strip_tags.
What would that accomplish?
The removal of various destructive things which one could bury in a tag
which would then be interpreted by an e-mail application capable of
rendering HTML. For example, an img tag which could result in the
downloading of unwanted images.
Seems like a good idea, but you seem to feel it would be pointless? Why?
A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).
So, then, if you wanted to allow a user to enter some text into the body
of a message, what would you do to protect the recipient of that
message?
Eric <eg******@veriz on.net> wrote: > One potentially good function to run them through is strip_tags.
What would that accomplish?
The removal of various destructive things which one could bury in a tag
which would then be interpreted by an e-mail application capable of
rendering HTML. For example, an img tag which could result in the
downloading of unwanted images.
Seems like a good idea, but you seem to feel it would be pointless? Why?
My MUA already provides this protection and AFAIK any decend MUA does
that. Added bonus is that I can still tell it not to "protect me", and
thus show the images when I want it to. A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).
So, then, if you wanted to allow a user to enter some text into the body
of a message, what would you do to protect the recipient of that
message?
Advise them a decent MUA, and fitler out html messages. My smapfilter is
trained to tag htmlonly mail as spam (except when explicitly
whitelisted), shows text/plain by default and
will not fetch external links by default.
Daniel Tryba <pa**********@i nvalid.tryba.nl > wrote: Eric <eg******@veriz on.net> wrote: > One potentially good function to run them through is strip_tags.
What would that accomplish?
The removal of various destructive things which one could bury in a tag
which would then be interpreted by an e-mail application capable of
rendering HTML. For example, an img tag which could result in the
downloading of unwanted images.
Seems like a good idea, but you seem to feel it would be pointless? Why?
My MUA already provides this protection and AFAIK any decend MUA does
that. Added bonus is that I can still tell it not to "protect me", and
thus show the images when I want it to.
A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).
So, then, if you wanted to allow a user to enter some text into the body
of a message, what would you do to protect the recipient of that
message?
Advise them a decent MUA, and fitler out html messages. My smapfilter is
trained to tag htmlonly mail as spam (except when explicitly
whitelisted), shows text/plain by default and
will not fetch external links by default.
Unfortunately, your latest comments are clearly entirely irrelevant to
the discussion which is what useful things can be done to process text
sent to the body and subject parameters of the mail() function to
prevent anything annoying/destructive from being sent to the recipient.
If you have any comments related to the topic of this thread, please let
me know.
For those who may be interested, in a simultaneous discussion which took
place elsewhere, one other option was presents which would be to run the
text through the htmlentities function.
Like strip_tags, this would prevent any annoying/destructive html from
being rendered and have the addition benefit of knowing whether or not
someone attempted to send something that was annoying/destructive.
However, I, personally, will likely stick with strip_tags. Although,
this function could remove useful text, it would also not force the
recipient to try to parse something not particularly human readable.
It would seem the sending of things that strip_tags or htmlentities
would stop is the only thing that one would need to be concerned with.
Eric <eg******@veriz on.net> wrote: If you have any comments related to the topic of this thread, please let
me know.
My comments should be read as: don't send text/html.
All below is unnecessary when the "html" is send as text/plain.
For those who may be interested, in a simultaneous discussion which took
place elsewhere, one other option was presents which would be to run the
text through the htmlentities function.
[snip]
BTW sending html in text/plain scores extra points in spam filters. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Dave |
last post by:
I have been reading everything i can find regarding sql mail and sql
agent mail.
We have a win2k server, sql 2000 and NO, NO, NO exchange server(all up
to date on service packs).
I have tried repeatadly for days to make this work, and have had no
luck so far.
1. I have a valid profile that tests fine in sql agent and via sql
|
by: chausan |
last post by:
Update
++++++
All attchment scanned with norton anti-virus w/ yahoo mail service and
they all reported infected with virus Worm.Automat.AHB.
========================================
From: chausanwong@yahoo.com.hk (chausan)
Newsgroups: microsoft.public.dotnet.general
|
by: lobrys |
last post by:
hi
I build a VB .NET application that makes file access, environnemet acess,
database access, etc....
If I ran the app locally, everything works....(normal)
If I copy the app on a server, and execute it, everything works until a
file/environnement/database access !.....
I just want that my app may run in every machine!
|
by: baustin75 |
last post by:
Posted: Mon Oct 03, 2005 1:41 pm Post subject: cannot mail() in ie
only when debugging in php designer 2005
--------------------------------------------------------------------------------
Hello,
I have a very simple problem but cannot seem to figure it out. I have a
very simple php script that sends a test email to myself. When I debug
it in PHP designer, it works with no problems, I get the test email. If
|
by: Wm. Scott Miller |
last post by:
Hello all:
I'd like some advice on the best way to validate and confirm an e-mail
address entered during a registration process. What we are thinking of is
something like the following:
1. User comes to our web site and validates themselves as a member of our
database.
2. User creates a user name and password to be used to log in to our site.
3. User is required to enter a valid e-mail address to finalize
| | |
by: Jim in Arizona |
last post by:
I've built a small IT helpdesk ticket system using the .NET 2.0 Beta 2
framework w/VS 2005 Beta 2. This system sits on an IIS 5.0 server, fully
patched. The IIS server is set for windows inegrated security only (removed
anonymous access) so all users must be domain authenticated. I use the
webpage headers in use with security and logging functions (ie:
Request.ServerVariables("AUTH_USER")). We also use Exchange 2000 as our
email system....
|
by: Jim Carlock |
last post by:
http:/ / aquaticcreationsnc . com/lib/php/test.php
Remove the spaces to visit the link above...
The w3 validator identifies the ampersand character as the
leading character for special character sequences. And as
such, all ampersands should be converted to & when
employed as part of a URI. So I configured that manually,
for my own parameters. However, I think what I'm seeing
here with the validator, is that the validator does not...
|
by: Arne |
last post by:
A lot of Firefox users I know, says they have problems with validation
where the ampersand sign has to be written as & to be valid. I don't
have Firefox my self and don't wont to install it only because of this,
so I hope some of you gurus can enlighten me with this :)
In what circumstances can the "&" in the source code be involuntary
changed to "&" by a browser when or other software, when editing and
uploading the file to the web...
|
by: Vijay |
last post by:
Prep Courses for International Certifications, CSTE & CSQA & ISEB &
ISTQB &Business Analyst & SOA Certifications in HYDERABAD.
After receiving overwhelming response to our last 50+ batches,
SPECTRAMIND SOLUTIONS now announces a new batch of Prep Courses for
CSQA & CSTE& ISEB & ISTQB & Business Analyst & SOA so as to prepare
you thoroughly for the most prestigious certification exams conducted
by International organizations. We...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
