[nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION
Rolan Yang
rolan at omnistep.com
Tue Sep 13 10:57:33 EDT 2005
csnyder wrote:
>I'm curious as to why we wouldn't just bail out and refuse to send the
>email at all if someone posted input with CR or LF in it?
>
>Seems to me that if you have a form with <input type="text"
>name="from" /> and you get a multiline $_POST['from'], then somebody
>is trying to get away with something.
>
>While not necessarily the case here, sometimes taking out something
>bad will create a situation where you're left with something worse.
>Sometimes it's better to be conservative and disallow input rather
>than try to sanitize it.
>
>
I am in total agreement here. Even though the messages were no longer a
threat, we were awfully tired of seeing the flood of incoming garbage.
Preventing the offending message from being sent also saves a lot of
wear and tear on the "Delete" button.
~Rolan
More information about the talk
mailing list