do you find this secure ?
View Single Post
11-17-2008, 03:19 PM
Join Date: Apr 2007
First, there's really no sense in writing elaborate regular expressions when no-one can read them, they'll be a nightmare to modify and there's not even a comment to suggest what it's meant to be doing.
Would you consider it 'insecure' if we could spam
with thousands of messages per second, with any content that we like? I only ask because there's nothing stopping repeated processing of the form with an address like
. There's worse to come, see below.
Also, the emails which can be 'valid' might not be actual, usable email addresses. For example, the
above or even
will get through that silly regex. Specifying an 'invalid' (ie, an address which has no user at the other end) address isn't too big a deal unless you want to send a message to no-body later on. Of course, then it might be a big deal to get 99% of your emails bounced back at you.
Finally, and the biggie, it's very possible to misuse the posted code to send out spam messages with whatever content the abuser wants to as many addresses as they want: not just to your own address, but to anyone.
So, is your script secure. In a word, no.
Could it be made secure? Sure! Indeed the huge gaping chasm of a security hole can be closed very simply, you've just got to see it first. Can you see it?
The Following User Says Thank You to Salathe For This Useful Post:
View Public Profile
Send a private message to Salathe
Visit Salathe's homepage!
Find More Posts by Salathe