[nzlug] FormMail Help Needed
Martin D Kealey
martin at kurahaupo.gen.nz
Fri Jan 26 21:09:36 NZDT 2007
On Fri, 26 Jan 2007, Michael Dittmer wrote:
> I have a FormMail script on a website (running on a linux box in a shared
> hosting environment) that when you press the submit button it emails the
> address in the script.
Aaaaargh noooooooooooooooooooooooooooooooo.................
Congratulations. You've just built a spam-bot.
Let me see if I can put this clearly: NEVER trust the browser.
Anything you put "in the form", a spammer can subvert, and your script
can't tell the difference.
Even if you think you're checking thoroughly you might have missed
something, so the only way to be SURE is not to have the script look for
any recipient addresses within any data sent by the "web browser"; this
includes the URL, the query-string, the posted data, or the cookies.
Put the recipient address in a config file; if you need more than one,
put a KEY in the form, and look that up in the config file.
-Martin
More information about the NZLUG
mailing list