Problem with form mailing script

Forum Moderators: coopster

Message Too Old, No Replies

Problem with form mailing script

Checking the referrer blocks certain users

louponne

8:55 am on Mar 18, 2005 (gmt 0)

On my php form-mailing script, I use a simple check to be sure that the form is not being hijacked by a pirate or spammer:

$referer = $_SERVER['HTTP_REFERER'];
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];
if ($referer!= $this_url) {
 echo "You do not have permission to use this script from another URL.";
}
else {
 code that sends the message!
}

I'm getting complaints that this form won't work for anyone who has installed Norton Firewall or similar products, that hide the referrer.

Is there a workaround here?
Or another way to restrict use of the form script?

jatar_k

10:29 pm on Mar 21, 2005 (gmt 0)

Is the form set up in such a way that you can send email to any email address?

other wise I don't really worry about protecting that way and I just embed the email address into the sending script. That way, even if they spam submit it, it only goes to me. ;)

louponne

10:50 pm on Mar 21, 2005 (gmt 0)

Is the form set up in such a way that you can send email to any email address?

nope - destination address is in the scripting.

other wise I don't really worry about protecting that way and I just embed the email address into the sending script. That way, even if they spam submit it, it only goes to me.

Problem is, this is on a client's site, and I'd prefer they not get nailed with that.

hm, but maybe I'm overdoing the security here?

[edited by: jatar_k at 11:19 pm (utc) on Mar. 21, 2005]
[edit reason] fixed quote tag [/edit]

jatar_k

11:53 pm on Mar 21, 2005 (gmt 0)

well, if the email address is in the script and you are testing your vars and not just looping through everything in the $_POST array then you are doing fine.

The referer test will always not work for some people that really want to contact you so that is a bad way to go. Though you may get a little spam, it is preferable to a customer not being able to use your site.

louponne

10:02 am on Mar 22, 2005 (gmt 0)

Thanks for correcting my post above - I looked several times and couldn't figure out why it looked so bizarre!

well, if the email address is in the script and you are testing your vars and not just looping through everything in the $_POST array then you are doing fine.

hm, yes, I am indeed just looping through my $_POST array - ahem - I guess from your question that is BAD?

jatar_k

5:24 pm on Mar 22, 2005 (gmt 0)

the problem being that then anyone can post vars that are not supposed to exist and they can end up inside of your logic.

If you only use the vars that are explicitly in your form then they, at least, are confined to not being able to slip something by. If those vars are also tested for types and accepted values you are pretty much there.

louponne

6:15 pm on Mar 22, 2005 (gmt 0)

ok, cool - many thanks for your help as always, jatar_k! :)