[nycphp-talk] worm/virus's hammering feedback scripts?
csnyder
chsnyder at gmail.com
Mon Sep 12 11:06:47 EDT 2005
On 9/12/05, Chris Shiflett <shiflett at php.net> wrote:
> With such a list, you can pretty much do whatever you please - you can
> even try injecting content into each variable name as a variety of types
> - GET data, POST data, cookies, etc.
>
> So, as developers, we must necessarily give away a lot of information
> about our applications. This makes our job even harder.
The web is the most insecure environment ever invented for
applications. Your entire *public* interface is transparently exposed
to any and all attackers, both human and scripted, 24x7 worldwide.
Spam bots like the one described in this thread are just the
beginning, I think. Sorry for the fear-mongering, what can PHP do to
protect us?
A simpler mail() function would be a great start. Something like:
text_mail( $to, $from, $subject, $body )
- strip MIME injection from all inputs
- strip /r and /n from all but the body
- strip_tags( $body )
This would address (almost?) everything that contact.php and
feedback.php builders need from an email function.
Or if that's too limited, use an array for $headers and build them
from each element in the array, stripped of \r and \n.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list