 |
Account Login
|
 |
|
Latest Articles
|
|
|
IRC Channel
|
|
|
Associates
|
|
|
Associates
|
|
|
 |
|
|
|
11-17-2008, 06:57 AM
|
#1 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
do you find this secure ?
PHP Code:
<?php
if(isset($_POST['submit']))
{
$email = $_POST['email'];
$bottest = $_POST['leave_blank'];
if(strlen($email)<1)
{
exit("</br>You did not put in you're email!");
}
if(strlen($bottest)>1)
{
exit("</br>Nice try!");
}
function is_valid_email($email)
{
$expr = '([^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c' .
'\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+|\\x22([^\\x0d' .
'\\x22\\x5c\\x80-\\xff]|\\x5c[\\x00-\\x7f])*\\x22)' .
'(\\x2e([^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e' .
'\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+|' .
'\\x22([^\\x0d\\x22\\x5c\\x80-\\xff]|\\x5c\\x00' .
'-\\x7f)*\\x22))*\\x40([^\\x00-\\x20\\x22\\x28' .
'\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40\\x5b-\\x5d' .
'\\x7f-\\xff]+|\\x5b([^\\x0d\\x5b-\\x5d\\x80-\\xff' .
']|\\x5c[\\x00-\\x7f])*\\x5d)(\\x2e([^\\x00-\\x20' .
'\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c\\x3e\\x40' .
'\\x5b-\\x5d\\x7f-\\xff]+|\\x5b([^\\x0d\\x5b-' .
'\\x5d\\x80-\\xff]|\\x5c[\\x00-\\x7f])*\\x5d))*';
return (preg_match('/^' . $expr . '$/', $email));
}
if(is_valid_email($email))
{
$email = $_REQUEST['email'] ;
$message = strip_tags($_REQUEST['message']) ;
mail( "yourmail@gmail.com", "Mail From Site By User!",
$message, "From: $email" );
print "Thank you for taking an interest in mysite.com";
}
else
{
print "please post your real email";
}
}
?>
<form method="post" action="sendmail.php">
Email: <input name="email" type="text" /><br />
Message:<br />
<textarea name="message" rows="15" cols="40">
</textarea><br />
<div style='display:none;visibility:hidden;'>
<input type='text' name='leave_blank' id='leave_blank'>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
|
|
|
|
|
11-17-2008, 11:51 AM
|
#2 (permalink)
|
|
The Prestige
Join Date: Sep 2007
Location: Sweden, Stockholm
Posts: 1,080
Thanks: 115
|
What does all those x20, x5c and all that in the expression means?
__________________
|
|
|
|
|
The Following User Says Thank You to Tanax For This Useful Post:
|
|
|
11-17-2008, 02:17 PM
|
#3 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 2,280
Thanks: 90
|
You're doing too much. I think we've discussed this many times before. Just you wait until Salathe gets here! Hehe.
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|
|
|
The Following User Says Thank You to Wildhoney For This Useful Post:
|
|
|
11-17-2008, 03:19 PM
|
#4 (permalink)
|
|
Moderateur
Join Date: Apr 2007
Posts: 1,393
Thanks: 5
|
First, there's really no sense in writing elaborate regular expressions when no-one can read them, they'll be a nightmare to modify and there's not even a comment to suggest what it's meant to be doing.
Would you consider it 'insecure' if we could spam youremail@gmail.com with thousands of messages per second, with any content that we like? I only ask because there's nothing stopping repeated processing of the form with an address like no-reply@localhost. There's worse to come, see below.
Also, the emails which can be 'valid' might not be actual, usable email addresses. For example, the no-reply@localhost above or even !@^ will get through that silly regex. Specifying an 'invalid' (ie, an address which has no user at the other end) address isn't too big a deal unless you want to send a message to no-body later on. Of course, then it might be a big deal to get 99% of your emails bounced back at you.
Finally, and the biggie, it's very possible to misuse the posted code to send out spam messages with whatever content the abuser wants to as many addresses as they want: not just to your own address, but to anyone.
So, is your script secure. In a word, no.
Could it be made secure? Sure! Indeed the huge gaping chasm of a security hole can be closed very simply, you've just got to see it first. Can you see it?
|
|
|
|
|
The Following User Says Thank You to Salathe For This Useful Post:
|
|
|
11-17-2008, 06:04 PM
|
#5 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
Hello thanks for the input, @wildhoney: to much ??..
and @Salathe: as always great teacher :)
ps on the point of the regex i am still learning regex i got
it from a friend when i made my register, so i use it in anything else as i think it works great and then the insecure parts, all i can see yeah the spam part can be fixed with a session id or a capatcha maybe, and then on the part of spamming others that i can not see,
and maybe
PHP Code:
$bottest = $_POST['leave_blank'];
<div style='display:none;visibility:hidden;'>
<input type='text' name='leave_blank' id='leave_blank'>
</div>
that might not be secure that is the all i see, if you see anymore would be greatly appreciated :)
and thank you for making me a better coder :)
PS: also filter $_POST[] so we don't get any XSS attacks
Last edited by codefreek : 11-17-2008 at 06:43 PM.
|
|
|
|
|
11-17-2008, 09:47 PM
|
#6 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
function is_valid_email($email)
{
$expr = '\w[\w+-]*(?:\.[\w+-]+)*@[a-z0-9-]+(?:\.[a-z0-9-])*\.[a-z]{2,4}';
return (preg_match('/^' . $expr . '$/i', $email));
}
if(is_valid_email($email))
{
better ?
Last edited by codefreek : 11-17-2008 at 10:20 PM.
|
|
|
|
|
11-17-2008, 10:43 PM
|
#7 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
:::UPDATE:::
PHP Code:
<?php
if(isset($_POST['submit']))
{
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$bottest = strip_tags($_POST['leave_blank']);
if(strlen($email)<1)
{
exit("</br>You did not put in you're email!");
}
if(strlen($message)<1)
{
exit("</br>You forgot to write a message");
}
if(strlen($bottest)>1)
{
exit("</br>Nice try!");
}
function spamcheck($field) {
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
if(filter_var($field, FILTER_VALIDATE_EMAIL)) {
return TRUE;
} else {
return FALSE;
}
}
if (isset($_REQUEST['email']))
{
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input<br />";
}
function is_valid_email($email)
{
$expr = '\w[\w+-]*(?:\.[\w+-]+)*@[a-z0-9-]+(?:\.[a-z0-9-])*\.[a-z]{2,4}$i';
return (preg_match('/^' . $expr . '$/', $email));
}
if(is_valid_email($email))
{
$email = strip_tags($_REQUEST['email']);
$message = strip_tags($_REQUEST['message']);
mail( "mailto@gmail.com", "Mail From Site By User!",
$message, "From: $email" );
print "Thank you for taking an interest in mysite.com";
}
else
{
print "please post your real email";
}
}
}
?>
<form method="post" action="sendmail.php">
Email: <input name="email" type="text" /><br />
Message:<br />
<textarea name="message" rows="10" cols="30">
</textarea><br />
<div style='display:none;visibility:hidden;'>
<input type='text' name='leave_blank' id='leave_blank'>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
so better now ?
still need to block out massive mail spam to me :P
but i am still thinking on how to fix that
would it be like this ?
session id to the person by a ip ? like if for say person x
has ip 123.123.12.4 do a session id for that or so ? solutions to this would be greatly appreciated ;)
PS: at least now no one can do like this for example
xD that was a big security flaw :P xd! |
|
|
|
|
11-18-2008, 11:06 AM
|
#8 (permalink)
|
|
Moderateur
Join Date: Apr 2007
Posts: 1,393
Thanks: 5
|
Quote:
Originally Posted by codefreek
PS: at least now no one can do like this for example
Code:
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com
xD that was a big security flaw :P xd! |
That "big security flaw" is still there.
The code could do with a tidy up (indenting!) and sometimes you're doing nearly the same thing but in different ways with different functions.
P.S. What's going on with the is_valid_email function; the regular expression ends with … $i$/ when called in preg_match. I don't think that's what you wanted. |
|
|
|
|
11-17-2008, 11:02 PM
|
#9 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
omg lol guess what google is a great tool XD! hihi
i learned so much to day!
PS: i am really waiting like a kid on Christmas day :P on what
you have to say next Salathe :D
Thank you in advance!!
HUM: now when i press submit i get a blank page :S
Last edited by codefreek : 11-18-2008 at 12:12 AM.
Reason: EDIT
|
|
|
|
|
11-18-2008, 05:06 PM
|
#10 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
fixed those, could you share what """That "big security flaw""""
is, as i have fixed those i did see :)
Thank you for your help sir.
-Codefreek
|
|
|
|
|
11-18-2008, 05:09 PM
|
#11 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
i have put the functions in it's own file so it looks more clean..
PHP Code:
<?php
error_reporting(E_ALL);
include 'sm_functions.php';
if(isset($_POST['submit']))
{
$email = $_POST['email'];
$message = $_POST['message'];
$bottest = $_POST['leave_blank'];
if(strlen($email)<1)
{
exit("</br>You did not put in you're email!");
}
if(strlen($message)<1)
{
exit("</br>You forgot to write a message");
}
if(strlen($bottest)>1)
{
exit("</br>Nice try!");
}
/* this will do the check if the script has asked for $_REQUEST['email'] */
if (isset($_REQUEST['email']))
{
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input<br />";
}
else
{
/* func_check_email */
if(is_valid_email($email))
{
$email = $_REQUEST['email'] ;
$message = strip_tags($_REQUEST['message']) ;
mail( "mailto@gmail.com", "Mail From Site By User!",
$message, "From: $email" );
print "Thank you for taking an interest in mysite.com";
}
else
{
print "please post your real email";
}
}
}
}
?>
<form method="post" action="sendmail.php">
Email: <input name="email" type="text" /><br />
Message:<br />
<textarea name="message" rows="10" cols="30">
</textarea><br />
<div style='display:none;visibility:hidden;'>
<input type='text' name='leave_blank' id='leave_blank'>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
|
|
|
|
|
11-19-2008, 02:08 AM
|
#12 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
Could use some help :)
Last edited by codefreek : 11-19-2008 at 07:21 PM.
Reason: EDIT TEXT
|
|
|
|
|
11-20-2008, 06:46 PM
|
#13 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
lol i did forget one thing about forums they have a search spot ;)
and now i know maybe why i am not getting allot of response for this as
people have asked allot of questions when it comes to mail :)
sorry!
|
|
|
|
|
11-21-2008, 05:16 AM
|
#14 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
|
::update::2
PHP Code:
<?php
error_reporting(E_ALL);
include 'sm_functions.php';
if(isset($_POST['submit']))
{
$email = spamcheck($_REQUEST['email']);
$message = strip_tags($_REQUEST['message']);
if(empty($email))
{
print "</br>You did not put in you're email!";
}
if(empty($message))
{
print "</br>You forgot to write a message";
/* func_check_email */
if(is_valid_email($email))
{
/* Do a valid email check */
print "check done";
} else {
print "please post your real email";
}
/* Do spam check */
} else {
if($email==FALSE)
{
echo "Invalid input<br />";
} else {
mail("mailto@gmail.com", "Mail From Site By User!", $message, "From: $email");
print "Thank you for taking an interest in mysite.com";
}
}
}
?>
<form method="post" action="sendmail.php">
Email: <input name="email" type="text" /><br />
Message:<br />
<textarea name="message" rows="10" cols="30">
</textarea><br />
<input type="submit" name="submit" value="submit"/>
</form>
Still a blank page
thoughts ?
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Hybrid Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
Join the friendly bunch on IRC...
