[nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION
inforequest
1j0lkq002 at sneakemail.com
Tue Sep 13 23:47:49 EDT 2005
Marc Antony Vose suzerain-at-suzerain.com |nyphp dev/internal group use|
wrote:
>At 10:43 AM -0400 9/13/05, csnyder wrote:
>
>
>>I'm curious as to why we wouldn't just bail out and refuse to send the
>>email at all if someone posted input with CR or LF in it?
>>
>>Seems to me that if you have a form with <input type="text"
>>name="from" /> and you get a multiline $_POST['from'], then somebody
>>is trying to get away with something.
>>
>>
>>
>
>
>At first this was freaking me out, too, but I just wanted to chime in
>and say this is my preferred solution to this problem as well.
>
>I think if you receive any input that looks fishy (by whatever test
>you choose...multiline 'from' lines seem like a good place to start),
>you should just not send the email, and show your users "Sorry, try
>again" or something.
>
>Cheers,
>
>
>
Thanks for the enlightening discussion.
While I agree completely with pro-active judging of input data, there
are cases where users cut-n-paste data into form fields (from Word, for
example) and inadvertently transfer all sorts of garbage (including
CR/LF stuff).
-=john andrews
http://www.seo-fun.com
More information about the talk
mailing list