[nycphp-talk] worm/virus's hammering feedback scripts? POLISHED VERSION
Marc Antony Vose
suzerain at suzerain.com
Tue Sep 13 15:23:20 EDT 2005
At 10:43 AM -0400 9/13/05, csnyder wrote:
>
>
>I'm curious as to why we wouldn't just bail out and refuse to send the
>email at all if someone posted input with CR or LF in it?
>
>Seems to me that if you have a form with <input type="text"
>name="from" /> and you get a multiline $_POST['from'], then somebody
>is trying to get away with something.
>
At first this was freaking me out, too, but I just wanted to chime in
and say this is my preferred solution to this problem as well.
I think if you receive any input that looks fishy (by whatever test
you choose...multiline 'from' lines seem like a good place to start),
you should just not send the email, and show your users "Sorry, try
again" or something.
Cheers,
--
Marc Antony Vose
http://www.suzerain.com/
Poetry atrophies when it gets too far from music.
-- Ezra Pound
More information about the talk
mailing list