logo-dw

Go Back   Dreamweaver Club Forums > Hand Coders Forum > General
Register FAQ Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 08-20-2007, 07:49 PM   #1
fwr1000
 
Join Date: Mar 2006
Location: Manistee, Michigan
Posts: 160
Default E Mail Forms and Preventing Spam

I think I have read here in the past that Ramandeep's tutorial and scripts will not prevent "injection attacks" to distribute spam. However, since it's a PHP form, is it correct that a spam bot will not identify the "send to" (i. e. the address the form will be sent to as a result of clicking the Submit button) email address as it's in the PHP file?

Thnx
Fred
fwr1000 is offline   Reply With Quote
Old 08-20-2007, 08:19 PM   #2
domedia
Administrator
domedia's Avatar
 
Join Date: Dec 2003
Posts: 9,730
Default

That has never been an issue, and you are perfectly right.

"Injection attacks" is not about the security of your personal email, but bascially means that the spammer use your server to perform sql/script tasks.

http://en.wikipedia.org/wiki/Code_injection
domedia is offline   Reply With Quote
Old 08-20-2007, 11:57 PM   #3
fwr1000
 
Join Date: Mar 2006
Location: Manistee, Michigan
Posts: 160
Default

Thanks Dom. I believe I now understand about the injection attacks. As my site does use any type of a DB, the form should not cause any issues.

Fred
fwr1000 is offline   Reply With Quote
Old 08-21-2007, 01:41 PM   #4
domedia
Administrator
domedia's Avatar
 
Join Date: Dec 2003
Posts: 9,730
Default

Fred, it's not isolated to using a DB. Is your form using PHP to generate an email? I'm not a programmer so I can't give specifics I'm afraid. Anyone else?
domedia is offline   Reply With Quote
Old 08-21-2007, 01:53 PM   #5
fwr1000
 
Join Date: Mar 2006
Location: Manistee, Michigan
Posts: 160
Default

Yes, its using PHP to gen the e mail. I'm using Ramandeep's tutorial and scripts from here on the DW Club tutorials.

Fred
fwr1000 is offline   Reply With Quote
Old 08-23-2007, 09:16 AM   #6
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

an injection attack arise when someone manipulates a hole in your SQL. SQL based attacks are used to gather info from a table or to bring down your db. The latter is easier.

when you write sql the syntax is as follows...

Code:
SELECT * FROM TABLE WHERE USER_ID='$VAR'
$VAR is the contents of a formfield

in the form field you could write this

Code:
 
'; drop table user .........'
as you can see i start the form entry with a single quote then terminate the command with a semi colon. I then inject my own code which in this case is to drop a table rendering your db useless

the SQL would look like this when i submit the form

Code:
SELECT * FROM TABLE WHERE USER_ID=''; DROP TABLE USER
as you can see my first single quote completes the USER_ID query which would return nowt which is ok because im not bothered what comes back. All i am interested in is to pass a command to the SQL engine which it executes.

this is what is classed as an injection attack
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Old 08-29-2007, 10:59 AM   #7
edbr
edbr's Avatar
 
Join Date: Aug 2005
Location: Bali
Posts: 11,176
Default

what is the best defence against this?
__________________
If you're happy and you know it shake your meds!
different style links examples

Flight / Hotel search
Free script download
Bali Villas
edbr is offline   Reply With Quote
Old 08-29-2007, 11:02 AM   #8
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

good data validation

check all input and strip anything that could be suspicious

also make sure the connection account cant drop tables which you can configure from your db access rights
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:21 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2006 DreamweaverClub.com