NYCPHP Meetup

[Daniel Convissor]

Hi Michael:

On Mon, Sep 12, 2005 at 12:41:12PM -0400, Michael Southwell wrote:
> At 12:20 PM 9/12/2005, you wrote:
>
> >A list of addresses is the wrong approach.  The email addresses are
> >variable and easy to change.  More importantly, the content is the issue,
> >not the email address.
> 
> The point is simply to identify which scripts have sent emails to the 
> known-bad addresses; those are the vulnerable ones.

I'm afraid that will lead people into both a false sense of security and 
using email address blacklists.  Folks should audit their email scripts, 
period.


> There were other problems as well, which I noted in my polished 
> version.  We need an officially sanctioned version of the function 
> before we can post anything.

Agreed.  Here's what I think is a good starting point for discussion...

<?php
// untested!!!!
// MUST do is_set() checks on all of these for first!
// left out for brevity.

if (eregi('^[a-z0-9_.=+-]+@([a-z0-9-]+\.)+([a-z]{2,6})$', $_POST['address'])) {
    $address = $_POST['address'];
} else {
    echo 'bad email';
    exit;
}

$name = eregi_replace("[^a-z .'-]", $_POST['name']);
$subject = eregi_replace("[^a-z .'-]", $_POST['subject']);
$message = htmlspecialchars($_POST['message']);

@mail('me at example.com', $subject, $message, "From: $name <$address>");
?>

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409