| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
Comments:
<0> preg_match("/[ a-zA-Z0-9_.@]/", $string, $matches);
<1> someone is using my contact form to mailbomb my own server with failed message sends. the field in question is limited to 40 chars, but they're able to put through strings that are much larger. is this possible? the method is POST
<2> qwerwe, of course look up stripos
<2> qwerwe, im sorry thats not the right function
<3> qwerwe: www.php.net/substr
<0> lunch is calling
<1> i don't understand. what's the substr link for?
<2> http://au3.php.net/manual/en/function.strlen.php
<1> i'm asking if it's possible to hack an input field to go beyond the set limit
<2> deadroot, ?
<4> qwerwe, you can chop the string down to the max 40 chars
<3> surfdue: what is it?
<1> ok, so you're saying it is possible to hack the input field even if a maxlength is set?
<2> qwerwe, thats now what you asked, and that we cant help you with.
<4> yes it is qwerwe, just post the vars directly to the target script
<1> ang; but that would be a GET, not POST, no?
<2> qwerwe, your confusing :P
<4> qwerwe, you can build a post and fire it off
<1> surf; pardon
<1> i see
<3> qwerwe: you're trusting the browser to conform to your HTML
<4> using curl, or any number of web clients
<3> qwerwe: which is misplaced trust, because the user can always override
<1> well, i'm doing a if(strlen($email) > 40) {header("Location:index.php");} but they're still somehow going through
<4> surfdue, qwerwe didn't realise that the form restrictions can be gotten around so easily...
<4> qwerwe, some other ideas to help with bombing and spamming:
<3> qwerwe: perhaps there is a logic error in your code. can't really tell without seeing it or having more information
<2> yes, especially when not using IE :P
<4> Use a session to check that the client had been to the form first (set session on form page, check for it on script page...)
<4> ah
<5> can someone look at this I'm taking it russian output from babelfish, grabbing it with curl, then echoing to the screen and the output is all messed up..... http://pastebin.com/712196
<4> qwerwe, also, if someone sends through the right details, they can misform the message headers to add content to the email
<2> qwerwe, simply do a if(strlen($postvar) <= "40") { die("mail hacking attempt"); }
<1> ang; what if i just do a proper email validation check on the email field? this is where they're dumping the content headers. ie: if (!preg_match("^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$",$_POST['email'])) {header("Location:index.php");}
<4> eg: in email, the headers are separated from the body by a newline char
<2> :|
<2> now you try to confuse me more :P
<4> If you put a newline char in a header value, that will drop the email from headers to content, then all you do is fill the rest of the header value with the content you want
<1> surdue: you mean >= ?
<2> smart :)
<1> ang; right, so won't my above preg_match check for that?
<2> qwerwe, do you understand what that preg_match does?
<4> qwerwe, you have to remember that email sending isn't some high tech art, and that it is very easy to exploit a simple mailing script. I would suggest looking at a formmail package to get around that
<2> qwerwe, seems like it is directly from php.net please understand what things do before using them :)
<1> surfdue; it's not from php.net. it's just an email validator is it not?
<2> qwerwe, not sure if you do but if you have cpanel and fantastico, it has a very nice form mail script :)
<4> qwerwe, the problem probably isn't in the email post var, it is probably in the headers, eg: from address, name etc....
<4> It's the lunching hour.... bbs
<1> no, it's definetly in the email field. i've logged all the fields they're putting through
<1> ie: point
<1> Content-Transfer-Encoding: base64
<1> saw: ca228aecbf0781f502c6f11424dcfd98
<1> Content-Type: text/plain
<1> oops, sorry!
<2> qwerwe, you can make your mail script email an ip, once you get his ip in the failed messages, simply report him, or block him if $_SERVER["REMOTE_ADDR"] == "ip" die :)
<1> surfdue; that's no good, cuz that's still bogging down my server.
<2> qwerwe, explain the problem again, im not sure what you mean by email field
<5> surfdue did you get a chance to look at my code? I tried to post the output but it doesn't post well
<1> i have 3 fields on my contact form: to whom (a dropdown), your email (40 char max) and the post itself and a button. they're stuffing the email field with content headers
<2> Smaxor, no I didnt do you still have it?
<1> stuffing it with bcc's, which invariably bounce and cause strain on my sendmail, etc etc
<5> can someone look at this I'm taking it russian output from babelfish, grabbing it with curl, then echoing to the screen and the output is all messed up..... http://pastebin.com/712196
<2> qwerwe, ok, OH ok, so simply do a check on the email field with what how do headers work "" ? do an addslashed ?
<5> I can't post the output it doesn't post to pastebin right
<1> surf; i didn't understand the last part of your suggestion
<2> qwerwe, or before do a check to verify the email such as if the string contains a @ and a .
<2> Smaxor, does english work or no?
<6> $headers = explode("\n", $input); $from = $headers[0];
<5> yes
<1> bugger, this SHOULD work, no? if (!preg_match("^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z0-9][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$",$_POST['email'])) {header("Location:index.php");}
<2> Smaxor, that url gives Error decoding translated text.
<2> We're sorry we've encountered an error with your request.
<7> Anyone know of an article that discusses implmenting tags?
<2> Smaxor, seems to me thats not a valid bablefish url :) use google :P
<6> rixth: You mean a folksonomy?
<7> TML as in YouTube tags.
<6> rixth: I don't know what YouTube is. Do you mean as in del.icio.us?
<5> http://babelfish.altavista.digital.com/babelfish/trurl_pagecontent?lp=en_el&url=http%3A%2F%2Fwww.posweb.info/keyword1.html seems to work for me fine
<2> rixth, you mean like forum tags [IMG] and such?
<5> I get a bunch of russian on the screen
<2> Smaxor, well not for me so I understand why your php script would nt :P
<7> TML, wow, that's suprising, youTube is m***ive. But yes, like those ridculous 'social' sites.
<2> Smaxor, use this http://babelfish.altavista.digital.com/babelfish/trurl_pagecontent?lp=en_el&url=http://www.posweb.info/keyword1.html :)
<6> rixth: If it doesn't work in a text mode browser, I probably don't know what it is, as a general rule.
<6> rixth: one moment, I have a link
<2> rixth, how would #php know, contact you tube :|
<6> surfdue: ...
<2> Smaxor, the problem I have is im using firefox, i suppose php may be getting the same problem ?
<6> rixth: ora.com/catalog/tagclouds/
<2> Smaxor, shurly you understand what I mean
<5> I am too
<2> TML, he means specific youtube tags correct?
<6> surfdue: No, we're discussing a concept.
<5> works fine in ff on windows
<6> It's called a folksonomy.
<2> TML, you mean he is making a system and wants to implement his own?
<6> rixth: Not free, but it was very well written.
<2> got ya ;)
<8> how would i get the last 2 lines of a ping result, put the output into an array? and print the last two elements?
<2> i would just copy them from youtube :P
<7> TML, thanks for the link to that book
<7> surfdue, you can't copy the php code...
<6> surfdue: You're not getting the concept
<2> typewriter, i suppose you could run it from the php as long sa you have allow php to run scripts in php.ini enabled and cut it?
<8> what do you mean by cut it
<6> surfdue: It's a way of allowing memebers of a community to cl***ify and codify content.
<2> typewriter, im sorry I dont know the best function that you should use
<6> surfdue: Check out en.wikipedia.org/wiki/Folksonomy
<9> http://pastebin.com/710388 I'm getting a error on line 117 it says "Parse error: parse error, unexpected $ in /home/content/b/a/r/barbhaynes/html/categories/cl***ifieds/contact.php on line 117
<10> tdd1984: why are you using variables you never set?
<10> that code is so confusing its not even funny
<6> tdd1984: You've got a missing " on your mysql_connect() line, for starters.
<9> well i know that
<10> why the heck are you doing $chalk = @$_GET['userid'];
<10> isn't @ for ignoring errors?
<9> no
<9> to get the userid from the url
<6> Uhh....yes, it is.
<11> try isset
<6> !+@
<12> [@] The PHP error control operator that suppresses errors (@foo()), see: http://php.net/operators.errorcontrol - Don't use it. Think I'm wrong? Ask me about "GO".
<9> k
<6> tdd1984: $chalk = $_GET['userid'];
<6> You don't need that @
<9> k
<9> hold on
<9> well its always had the @ sign
<9> i put that there
<9> can't remember why
<6> tdd1984: You've got a missing " on your mysql_connect() line, for starters.
<9> not worried about that thow
<9> tml i know
<9> i just backspaced the username out
<9> and p*** to do a post
<9> Right now im worried why im getting a parse error on line 117 from $
<6> tdd1984: When I fix the missing ", I get no parse errors in that code.
<10> tdd1984: you're missing quotes and using an unset variable on line 32
<9> hold on
<9> theres nothing on line 32
<10> ....
<9> TML: what line?
<10> oh sorry
<10> line 72.
<10> you do $row_images= mysql_fetch_***oc($images);
<10> twice.
<6> tdd1984: The one that has mysql_connect() on it
<10> before the while, and in it
<6> Gimp_: That's because of how do/while() works
<9> ("mysql117.secureserver.net",dfd") are you talking about that
<10> TML: oh wait, sorry, you're right.
Return to
#php
or
Go to some related
logs:
#ubuntu
fedora automount execute fstab memory stick
ubuntu win32codecs repository dapper
#kde
#debian
#css
wxglade WXU_2.6
regenworld
WPC54GV3 madwifi
debian using acl etch
|
|