By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,810 Members | 783 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,810 IT Pros & Developers. It's quick & easy.

PHP script Help Needed

P: n/a
I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.

1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. fo*@bar.com) and contain one and only
one address each.

2) The message contains text only. No attachments allowed.
I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated
Thanks
DB
Jul 20 '08 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Ima Lozer wrote:
I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.

1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. fo*@bar.com) and contain one and only
one address each.

2) The message contains text only. No attachments allowed.
I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated
Thanks
DB

I find that phpmailer can be easily modified to do the actual sending -
you may need to configure SSL/TSL authenticated SMTP to your ISP
outbound servers (unless you have full control over your ReverseDNS and
your own SMTP server - in other words - if you do not fully own and
control the IP address(es). If you do use DynamicDNS you will be
blacklisted anyway. It seems to me to unfair, but fighting that is a
losing proposition.

You will want to take a look at some sort of Captcha to ensure only
humans are interacting with your site. (ie. "enter at this funky-looking
picture of this word and type in the word here...")
Jul 20 '08 #2

P: n/a
In article <xY*****************@nlpi069.nbdc.sbc.com>,
ma*****@firstdbasource.com says...
Ima Lozer wrote:
I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.

1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. fo*@bar.com) and contain one and only
one address each.

2) The message contains text only. No attachments allowed.
I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated
Thanks
DB


I find that phpmailer can be easily modified to do the actual sending -
you may need to configure SSL/TSL authenticated SMTP to your ISP
outbound servers (unless you have full control over your ReverseDNS and
your own SMTP server - in other words - if you do not fully own and
control the IP address(es). If you do use DynamicDNS you will be
blacklisted anyway. It seems to me to unfair, but fighting that is a
losing proposition.

You will want to take a look at some sort of Captcha to ensure only
humans are interacting with your site. (ie. "enter at this funky-looking
picture of this word and type in the word here...")

Thanks. I alrady have the script 100% functional. That is not the
issue. What I want to do is tighten it up for security. I need to test
the TO and FROM email addresses to ensure that the entry is a singular
validly formatted email address, and I wand to make sure that no black
hat uses the MESSAGE field to upliad anything that can harm the
recipient's system or my server. I'll look at phpmailer to see if it
has this type of code in it.
Jul 21 '08 #3

P: n/a
Ima Lozer wrote:
In article <xY*****************@nlpi069.nbdc.sbc.com>,
ma*****@firstdbasource.com says...
>Ima Lozer wrote:
>>I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.

1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. fo*@bar.com) and contain one and only
one address each.

2) The message contains text only. No attachments allowed.
I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated
Thanks
DB

I find that phpmailer can be easily modified to do the actual sending -
you may need to configure SSL/TSL authenticated SMTP to your ISP
outbound servers (unless you have full control over your ReverseDNS and
your own SMTP server - in other words - if you do not fully own and
control the IP address(es). If you do use DynamicDNS you will be
blacklisted anyway. It seems to me to unfair, but fighting that is a
losing proposition.

You will want to take a look at some sort of Captcha to ensure only
humans are interacting with your site. (ie. "enter at this funky-looking
picture of this word and type in the word here...")


Thanks. I alrady have the script 100% functional. That is not the
issue. What I want to do is tighten it up for security. I need to test
the TO and FROM email addresses to ensure that the entry is a singular
validly formatted email address, and I wand to make sure that no black
hat uses the MESSAGE field to upliad anything that can harm the
recipient's system or my server. I'll look at phpmailer to see if it
has this type of code in it.
The simplest way is to check for nl and cr characters ("\n" and "\r") in
the from, and subject fields. If there are any, send it back.

It works because each entry (i.e. To:, CC:, BCC:, etc.) needs to be on a
separate line.

Not perfectly foolproof, but it catches virtually all of the spammers.
It only leaves the to: field - which you should control in your script,
not from the form (i.e. use an id in the form and pull the actual email
address from a file/database/array/whatever).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jul 21 '08 #4

P: n/a
On Jul 21, 1:38 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
Ima Lozer wrote:
In article <xYNgk.16869$89.9...@nlpi069.nbdc.sbc.com>,
maus...@firstdbasource.com says...
Ima Lozer wrote:
I am in the process of writing an app for one of my sites that will
allow guests to send e-cards to other folks. The process is fairly
simple. First the sender selects a card graphic via a series of radio
buttons. Then he enters his and the recipient's name and email address.
Next he enters a message to the sender and clicks a button to send the
card. What I need help with is code to test the input in all appropriate
fields to ensure that no oen uses the script for black hat purposes. In
addition to anything else that may be an issue I'd like to address the
following.
>1) Ensure that the email addresses values entered (recipient and sender)
are both validly formatted (e.g. f...@bar.com) and contain one and only
one address each.
>2) The message contains text only. No attachments allowed.
>I'm basically looking for ways to block the black hats from using this
for spam or spreading any malware. Direct assistance with this or being
pointed to a reference that addresses the subject would be appreciated
>Thanks
DB
I find that phpmailer can be easily modified to do the actual sending -
you may need to configure SSL/TSL authenticated SMTP to your ISP
outbound servers (unless you have full control over your ReverseDNS and
your own SMTP server - in other words - if you do not fully own and
control the IP address(es). If you do use DynamicDNS you will be
blacklisted anyway. It seems to me to unfair, but fighting that is a
losing proposition.
You will want to take a look at some sort of Captcha to ensure only
humans are interacting with your site. (ie. "enter at this funky-looking
picture of this word and type in the word here...")
Thanks. I alrady have the script 100% functional. That is not the
issue. What I want to do is tighten it up for security. I need to test
the TO and FROM email addresses to ensure that the entry is a singular
validly formatted email address, and I wand to make sure that no black
hat uses the MESSAGE field to upliad anything that can harm the
recipient's system or my server. I'll look at phpmailer to see if it
has this type of code in it.

The simplest way is to check for nl and cr characters ("\n" and "\r") in
the from, and subject fields. If there are any, send it back.

It works because each entry (i.e. To:, CC:, BCC:, etc.) needs to be on a
separate line.

Not perfectly foolproof, but it catches virtually all of the spammers.
It only leaves the to: field - which you should control in your script,
not from the form (i.e. use an id in the form and pull the actual email
address from a file/database/array/whatever).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
You really, really must check that the requester's address is valid
and receiving mail - when a user requests requests a message to be
sent put it in a holding a queue then send back a message to the
requester with a URL which will release the ecard.

I don't even want to conjecture about how this could be abused
otherwise.

It won't stop people using throwaway addresses, but at least this
covers your responsibilities regarding due diligence.

C.
Jul 21 '08 #5

This discussion thread is closed

Replies have been disabled for this discussion.