NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION

Rolan Yang rolan at omnistep.com
Tue Sep 13 10:57:33 EDT 2005


csnyder wrote:

>I'm curious as to why we wouldn't just bail out and refuse to send the
>email at all if someone posted input with CR or LF in it?
>
>Seems to me that if you have a form with <input type="text"
>name="from" /> and you get a multiline $_POST['from'], then somebody
>is trying to get away with something.
>
>While not necessarily the case here, sometimes taking out something
>bad will create a situation where you're left with something worse.
>Sometimes it's better to be conservative and disallow input rather
>than try to sanitize it.
>  
>

I am in total agreement here. Even though the messages were no longer a 
threat, we were awfully tired of seeing the flood of incoming garbage. 
Preventing the offending message from being sent also saves a lot of 
wear and tear on the "Delete" button.

~Rolan



More information about the talk mailing list