TalkPHP - do you find this secure ?

TalkPHP (http://www.talkphp.com/forums.php)

- Advanced PHP Programming (http://www.talkphp.com/advanced-php-programming/)

- - do you find this secure ? (http://www.talkphp.com/advanced-php-programming/3622-do-you-find-secure.html)

codefreek

11-17-2008 06:57 AM

do you find this secure ?

PHP Code:


		
			
<?php

if(isset($_POST['submit']))

{

$email       = $_POST['email'];

$bottest = $_POST['leave_blank'];



    if(strlen($email)<1) 

    {

        exit("</br>You did not put in you're email!");

    }

    if(strlen($bottest)>1) 

    {

        exit("</br>Nice try!");

    }



 function is_valid_email($email)

{

    $expr = '([^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c' .

            '\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+|\\x22([^\\x0d' .

            '\\x22\\x5c\\x80-\\xff]|\\x5c[\\x00-\\x7f])*\\x22)' .

            '(\\x2e([^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e' .

            '\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+|' .

            '\\x22([^\\x0d\\x22\\x5c\\x80-\\xff]|\\x5c\\x00' .

            '-\\x7f)*\\x22))*\\x40([^\\x00-\\x20\\x22\\x28' .

            '\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d' .

            '\\x7f-\\xff]+|\\x5b([^\\x0d\\x5b-\\x5d\\x80-\\xff' .

            ']|\\x5c[\\x00-\\x7f])*\\x5d)(\\x2e([^\\x00-\\x20' .

            '\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40' .

            '\\x5b-\\x5d\\x7f-\\xff]+|\\x5b([^\\x0d\\x5b-' .

            '\\x5d\\x80-\\xff]|\\x5c[\\x00-\\x7f])*\\x5d))*';

    

    return (preg_match('/^' . $expr . '$/', $email));

}

    

    if(is_valid_email($email))

 {

  $email = $_REQUEST['email'] ;

  $message = strip_tags($_REQUEST['message']) ;



  mail( "yourmail@gmail.com", "Mail From Site By User!",

    $message, "From: $email" );

  print "Thank you for taking an interest in mysite.com";

}

else

{

print "please post your real email";

}

}

?>





<form method="post" action="sendmail.php">

  Email: <input name="email" type="text" /><br />

  Message:<br />

  <textarea name="message" rows="15" cols="40">

  </textarea><br />

<div style='display:none;visibility:hidden;'>

    <input type='text' name='leave_blank' id='leave_blank'>

</div>

  <input type="submit" name="submit" value="submit"/>

</form>

Tanax

11-17-2008 11:51 AM

What does all those x20, x5c and all that in the expression means?

Wildhoney

11-17-2008 02:17 PM

You're doing too much. I think we've discussed this many times before. Just you wait until Salathe gets here! Hehe.

Salathe

11-17-2008 03:19 PM

First, there's really no sense in writing elaborate regular expressions when no-one can read them, they'll be a nightmare to modify and there's not even a comment to suggest what it's meant to be doing.

Would you consider it 'insecure' if we could spam youremail@gmail.com with thousands of messages per second, with any content that we like? I only ask because there's nothing stopping repeated processing of the form with an address like no-reply@localhost. There's worse to come, see below.

Also, the emails which can be 'valid' might not be actual, usable email addresses. For example, the no-reply@localhost above or even !@^ will get through that silly regex. Specifying an 'invalid' (ie, an address which has no user at the other end) address isn't too big a deal unless you want to send a message to no-body later on. Of course, then it might be a big deal to get 99% of your emails bounced back at you.

Finally, and the biggie, it's very possible to misuse the posted code to send out spam messages with whatever content the abuser wants to as many addresses as they want: not just to your own address, but to anyone.

So, is your script secure. In a word, no.

Could it be made secure? Sure! Indeed the huge gaping chasm of a security hole can be closed very simply, you've just got to see it first. Can you see it?

codefreek

11-17-2008 06:04 PM

Hello thanks for the input, @wildhoney: to much ??..
and @Salathe: as always great teacher :)

ps on the point of the regex i am still learning regex i got
it from a friend when i made my register, so i use it in anything else as i think it works great and then the insecure parts, all i can see yeah the spam part can be fixed with a session id or a capatcha maybe, and then on the part of spamming others that i can not see,

and maybe

PHP Code:


		
			
$bottest = $_POST['leave_blank'];

<div style='display:none;visibility:hidden;'>
<input type='text' name='leave_blank' id='leave_blank'>
</div>
that might not be secure that is the all i see, if you see anymore would be greatly appreciated :)

and thank you for making me a better coder :)

PS: also filter $_POST[] so we don't get any XSS attacks

codefreek

11-17-2008 09:47 PM

function is_valid_email($email)
{
$expr = '\w[\w+-]*(?:\.[\w+-]+)*@[a-z0-9-]+(?:\.[a-z0-9-])*\.[a-z]{2,4}';

return (preg_match('/^' . $expr . '$/i', $email));
}

if(is_valid_email($email))
{

better ?

codefreek

11-17-2008 10:43 PM

:::UPDATE:::

PHP Code:


		
			

<?php
if(isset($_POST['submit']))
{
$email      = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$bottest = strip_tags($_POST['leave_blank']);

    if(strlen($email)<1) 
    {
        exit("</br>You did not put in you're email!");
    }
    if(strlen($message)<1) 
    {
        exit("</br>You forgot to write a message");
    }
    if(strlen($bottest)>1) 
    {
        exit("</br>Nice try!");
    }

  function spamcheck($field) {

  
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);
  if(filter_var($field, FILTER_VALIDATE_EMAIL)) {
    
    return TRUE;

} else {

        return FALSE;

       }
}

if (isset($_REQUEST['email']))
  {
    $mailcheck = spamcheck($_REQUEST['email']);
  if ($mailcheck==FALSE)
  {
    echo "Invalid input<br />";
  }

 function is_valid_email($email)
{
    $expr = '\w[\w+-]*(?:\.[\w+-]+)*@[a-z0-9-]+(?:\.[a-z0-9-])*\.[a-z]{2,4}$i';
    
    return (preg_match('/^' . $expr . '$/', $email));
}
    
    if(is_valid_email($email))
 {

  $email = strip_tags($_REQUEST['email']);
  $message = strip_tags($_REQUEST['message']);

  mail( "mailto@gmail.com", "Mail From Site By User!",
    $message, "From: $email" );
  print "Thank you for taking an interest in mysite.com";
}
else
{
print "please post your real email";
}
}
}
?>


<form method="post" action="sendmail.php">
  Email: <input name="email" type="text" /><br />
  Message:<br />
  <textarea name="message" rows="10" cols="30">
  </textarea><br />
<div style='display:none;visibility:hidden;'>
    <input type='text' name='leave_blank' id='leave_blank'>
</div>
  <input type="submit" name="submit" value="submit"/>
</form>

so better now ?
still need to block out massive mail spam to me :P
but i am still thinking on how to fix that
would it be like this ?

session id to the person by a ip ? like if for say person x
has ip 123.123.12.4 do a session id for that or so ? solutions to this would be greatly appreciated ;)

PS: at least now no one can do like this for example

Quote:

someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

xD that was a big security flaw :P xd!

codefreek

11-17-2008 11:02 PM

omg lol guess what google is a great tool XD! hihi
i learned so much to day!

PS: i am really waiting like a kid on Christmas day :P on what
you have to say next Salathe :D

Thank you in advance!!

HUM: now when i press submit i get a blank page :S

Salathe

11-18-2008 11:06 AM

Quote:

Originally Posted by codefreek (Post 19702)

PS: at least now no one can do like this for example

Code:

someone@example.com%0ACc:person2@example.com

%0ABcc:person3@example.com,person3@example.com,

anotherperson4@example.com,person5@example.com

%0ABTo:person6@example.com

xD that was a big security flaw :P xd!

That "big security flaw" is still there.

The code could do with a tidy up (indenting!) and sometimes you're doing nearly the same thing but in different ways with different functions.

P.S. What's going on with the is_valid_email function; the regular expression ends with …$i$/ when called in preg_match. I don't think that's what you wanted.

codefreek

11-18-2008 05:06 PM

fixed those, could you share what """That "big security flaw""""
is, as i have fixed those i did see :)
Thank you for your help sir.

-Codefreek

codefreek

11-18-2008 05:09 PM

i have put the functions in it's own file so it looks more clean..

PHP Code:


		
			
<?php
error_reporting(E_ALL);
include 'sm_functions.php';
if(isset($_POST['submit']))
    {
$email = $_POST['email'];
$message = $_POST['message'];
$bottest = $_POST['leave_blank'];

    if(strlen($email)<1) 
    {
        exit("</br>You did not put in you're email!");
    }
    if(strlen($message)<1) 
    {
        exit("</br>You forgot to write a message");
    }
    if(strlen($bottest)>1) 
    {
        exit("</br>Nice try!");
    }

/* this will do the check if the script has asked for $_REQUEST['email'] */

    if (isset($_REQUEST['email']))
    {
    $mailcheck = spamcheck($_REQUEST['email']);

    if ($mailcheck==FALSE)
  
    {

    echo "Invalid input<br />";

    }

else

    {

/* func_check_email */

    if(is_valid_email($email))

    {

  $email = $_REQUEST['email'] ;
  $message = strip_tags($_REQUEST['message']) ; 

  mail( "mailto@gmail.com", "Mail From Site By User!",
    $message, "From: $email" );
  print "Thank you for taking an interest in mysite.com";

    }

else

    {

  print "please post your real email";
    
    }

}
}
}
?>


<form method="post" action="sendmail.php">
  Email: <input name="email" type="text" /><br />
  Message:<br />
  <textarea name="message" rows="10" cols="30">
  </textarea><br />
<div style='display:none;visibility:hidden;'>
    <input type='text' name='leave_blank' id='leave_blank'>
</div>
  <input type="submit" name="submit" value="submit"/>
</form>

codefreek

11-19-2008 02:08 AM

Could use some help :)

codefreek

11-20-2008 06:46 PM

lol i did forget one thing about forums they have a search spot ;)
and now i know maybe why i am not getting allot of response for this as
people have asked allot of questions when it comes to mail :)
sorry!

codefreek

11-21-2008 05:16 AM

::update::2

PHP Code:


		
			
<?php
error_reporting(E_ALL);
include 'sm_functions.php';
if(isset($_POST['submit']))
{
$email = spamcheck($_REQUEST['email']);
$message = strip_tags($_REQUEST['message']);

if(empty($email))
{
print "</br>You did not put in you're email!";
}
if(empty($message)) 
{
print "</br>You forgot to write a message";

/* func_check_email */
if(is_valid_email($email))
{
    /* Do a valid email check */
print "check done";

} else {

print "please post your real email";
}

/* Do spam check */
} else {
    
if($email==FALSE)

{

echo "Invalid input<br />";
 
} else {

mail("mailto@gmail.com", "Mail From Site By User!", $message, "From: $email");
print "Thank you for taking an interest in mysite.com"; 
}
}
}


?>


<form method="post" action="sendmail.php">
Email: <input name="email" type="text" /><br />
Message:<br />
<textarea name="message" rows="10" cols="30">
</textarea><br />
<input type="submit" name="submit" value="submit"/>
</form>

Still a blank page

thoughts ?

All times are GMT. The time now is 10:06 AM.