NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION

inforequest 1j0lkq002 at sneakemail.com
Tue Sep 13 23:47:49 EDT 2005


Marc Antony Vose suzerain-at-suzerain.com |nyphp dev/internal group use| 
wrote:

>At 10:43 AM -0400 9/13/05, csnyder wrote:
>  
>
>>I'm curious as to why we wouldn't just bail out and refuse to send the
>>email at all if someone posted input with CR or LF in it?
>>
>>Seems to me that if you have a form with <input type="text"
>>name="from" /> and you get a multiline $_POST['from'], then somebody
>>is trying to get away with something.
>>
>>    
>>
>
>
>At first this was freaking me out, too, but I just wanted to chime in 
>and say this is my preferred solution to this problem as well.
>
>I think if you receive any input that looks fishy (by whatever test 
>you choose...multiline 'from' lines seem like a good place to start), 
>you should just not send the email, and show your users "Sorry, try 
>again" or something.
>
>Cheers,
>
>  
>

Thanks for the enlightening discussion.

While I agree completely with pro-active judging of input data, there 
are cases where users cut-n-paste data into form fields (from Word, for 
example) and inadvertently transfer all sorts of garbage (including 
CR/LF stuff).

-=john andrews
http://www.seo-fun.com





More information about the talk mailing list