Comments on: Using a Feedback Form for Spam http://alexander.kirk.at/2005/11/11/using-a-feedback-form-for-spam/ Tue, 23 Feb 2010 01:32:11 +0000 hourly 1 http://wordpress.org/?v=3.0 By: eric http://alexander.kirk.at/2005/11/11/using-a-feedback-form-for-spam/comment-page-1/#comment-99 eric Fri, 13 Jan 2006 06:16:17 +0000 http://alexander.kirk.at/?p=42#comment-99 While validating data is important I found it far easier to simply dump comments from people contacting me into a table... then created a password protected page where I just use the mail function to send a reply. Validating is better but I didn't really see the point when I get maybe a handful of messages via my website a month. While validating data is important I found it far easier to simply dump comments from people contacting me into a table... then created a password protected page where I just use the mail function to send a reply. Validating is better but I didn't really see the point when I get maybe a handful of messages via my website a month.

]]> By: Jared http://alexander.kirk.at/2005/11/11/using-a-feedback-form-for-spam/comment-page-1/#comment-73 Jared Mon, 28 Nov 2005 16:04:05 +0000 http://alexander.kirk.at/?p=42#comment-73 Aparently it removed my example, unfortunatlly there is no "preview" function to this comment system, well here goes a second attempt. <?php include('header.inc.php'); include($_GET['page']); include('footer.inc.php'); ?> Aparently it removed my example, unfortunatlly there is no "preview" function to this comment system, well here goes a second attempt.

<?php
include('header.inc.php');
include($_GET['page']);
include('footer.inc.php');
?>

]]> By: Jared http://alexander.kirk.at/2005/11/11/using-a-feedback-form-for-spam/comment-page-1/#comment-72 Jared Mon, 28 Nov 2005 15:59:38 +0000 http://alexander.kirk.at/?p=42#comment-72 This is a n00b mistake. PHPs best strength and worst weakness is its simplicity. Anyone off the street can be up and running in a day doing simple DB stuff and web apps. Thing is PHP doesn't stress validation nearly enough. The first rule of programming is to VALIDATE EVERYTHING, and I'm glad you bolded it. Anything that is coming from an untrusted source, ie users, ie remote files, etc. In nearly 99% of the cases a simple validation class or function such as an is_email() would have stopped the attempt dead in its tracks. In addition to this example I regularly find this in many n00b attempts at templating systems. http://www.url.com/script.php?page=home.php As you can see, this is amazingly simple to exploit. You can now basically view any file that the script can access. Password files, db connection files, etc. Not to mention the potential for some nasty cross site scripting. The sad thing about all of this is sever administrators spend tons of time protecting their servers from bad code when they could be doing something more productive. This ultimately results in a crippled PHP config so that the users are protected from themselves. In conclusion, I 110% agree with you, NEVER TRUST ANY DATA FROM ANY SOURCE ANYWHERE ANYTIME. This is a n00b mistake. PHPs best strength and worst weakness is its simplicity. Anyone off the street can be up and running in a day doing simple DB stuff and web apps. Thing is PHP doesn't stress validation nearly enough.

The first rule of programming is to VALIDATE EVERYTHING, and I'm glad you bolded it. Anything that is coming from an untrusted source, ie users, ie remote files, etc. In nearly 99% of the cases a simple validation class or function such as an is_email() would have stopped the attempt dead in its tracks.

In addition to this example I regularly find this in many n00b attempts at templating systems.

http://www.url.com/script.php?page=home.php

As you can see, this is amazingly simple to exploit. You can now basically view any file that the script can access. Password files, db connection files, etc. Not to mention the potential for some nasty cross site scripting.

The sad thing about all of this is sever administrators spend tons of time protecting their servers from bad code when they could be doing something more productive. This ultimately results in a crippled PHP config so that the users are protected from themselves.

In conclusion, I 110% agree with you, NEVER TRUST ANY DATA FROM ANY SOURCE ANYWHERE ANYTIME.

]]>