This is Interesting: Free Magazines for Graphics designers and webmasters
Home > Archive > Webmaster forum > April 2006 > Form selector
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Paul Watt 2006-04-28, 7:03 am |
| Hi Guys,
I'm building a email form in a XHTML Strict page. I want to have a drop down
selector box with 3 options in it (x,y,z for example). If x is selected I
want x to be in the subject line of the email. How can I do this? Can it be
done without Javascript?
Cheers ans TIA,
--
Paul Watt
http://www.paulwatt.info
| |
| William Tasso 2006-04-28, 7:03 am |
| Fleeing from the madness of the jungle
Paul Watt <paulioNOSPAM@wattio.freeserve.co.uk> stumbled into
news:alt.html,alt.www.webmaster
and said:
> Hi Guys,
> I'm building a email form in a XHTML Strict page. I want to have a drop
> down
> selector box with 3 options in it (x,y,z for example). If x is selected I
> want x to be in the subject line of the email. How can I do this? Can it
> be
> done without Javascript?
yes - the script that processes the form makes all the decisions about
what data to use.
--
William Tasso
http://williamtasso.com/words/what-is-usenet.asp
| |
| Martin Jay 2006-04-28, 7:03 am |
| In message <4be1geF110r4pU1@individual.net>, Paul Watt
<paulioNOSPAM@wattio.freeserve.co.uk> writes
>I'm building a email form in a XHTML Strict page. I want to have a drop down
>selector box with 3 options in it (x,y,z for example). If x is selected I
>want x to be in the subject line of the email. How can I do this? Can it be
>done without Javascript?
Do you want to send the email using a mailto link, such as:
<a href="mailto:martin@spam-free.org.uk?subject=Email subject"> ?
Selecting the subject from a drop down menu without using a script isn't
possible.
Another thing to bear in mind is that not everyone has a default email
client set up on the computer they're using, so this sort of link may
fail. :(
--
Martin Jay
| |
| Paul Watt 2006-04-28, 7:03 am |
|
"Martin Jay" <martin@spam-free.org.uk> wrote in message
news:izsUorC2veUEFwMM@spam-free.org.uk...
> In message <4be1geF110r4pU1@individual.net>, Paul Watt
> <paulioNOSPAM@wattio.freeserve.co.uk> writes
>
> Do you want to send the email using a mailto link, such as:
>
> <a href="mailto:martin@spam-free.org.uk?subject=Email subject"> ?
>
> Selecting the subject from a drop down menu without using a script isn't
> possible.
>
> Another thing to bear in mind is that not everyone has a default email
> client set up on the computer they're using, so this sort of link may
> fail. :(
I wasn't going to use a mailto link, proberbly a cgi or PHP processor
| |
| Martin Jay 2006-04-28, 7:05 pm |
| In message <4be9oiF10q7viU1@individual.net>, Paul Watt
<paulioNOSPAM@wattio.freeserve.co.uk> writes
>"Martin Jay" <martin@spam-free.org.uk> wrote in message
>news:izsUorC2veUEFwMM@spam-free.org.uk...
[color=darkred]
[color=darkred]
>I wasn't going to use a mailto link, proberbly a cgi or PHP processor
Okay, that's good.
So in your HTML you'll have something like the:
<select name="subject">
<option value="Subject 1" SELECTED>Subject 1</option>
<option value="Subject 2">Subject 2</option>
<option value="Subject 3">Subject 3</option>
</select>
Just POST that off to your PHP script and then use the mail command:
$subject = $_POST['subject'];
/* It's probably a good idea to include this so you don't end up with '
and \" in the subject */
$subject = stripslashes($subject);
mail($to, $subject, $message);
--
Martin Jay
| |
| Jerry Stuckle 2006-04-28, 7:05 pm |
| Martin Jay wrote:
> In message <4be9oiF10q7viU1@individual.net>, Paul Watt
> <paulioNOSPAM@wattio.freeserve.co.uk> writes
>
>
>
>
>
>
>
> Okay, that's good.
>
> So in your HTML you'll have something like the:
>
> <select name="subject">
> <option value="Subject 1" SELECTED>Subject 1</option>
> <option value="Subject 2">Subject 2</option>
> <option value="Subject 3">Subject 3</option>
> </select>
>
> Just POST that off to your PHP script and then use the mail command:
>
> $subject = $_POST['subject'];
>
> /* It's probably a good idea to include this so you don't end up with '
> and \" in the subject */
>
> $subject = stripslashes($subject);
>
> mail($to, $subject, $message);
Do this and you will be ripe for becoming a spam relay. At a minimum you need to
ensure there are no newline characters in the input.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
|
| "Paul Watt" <paulioNOSPAM@wattio.freeserve.co.uk> wrote:
>Hi Guys,
>I'm building a email form in a XHTML Strict page. I want to have a drop down
>selector box with 3 options in it (x,y,z for example). If x is selected I
>want x to be in the subject line of the email. How can I do this? Can it be
>done without Javascript?
>
>Cheers ans TIA,
It can be done without javascript. I use PHP for server-side stuff
this week. I don't have an email form, but I have lots of dropdown
boxes. Never a problem. I'm not sure what about it is causing you a
problem. I'd post a simple example for you, but all my stuff is very
generalized and hence not simple.
--
http://www.ren-prod-inc.com/hug_sof...?action=contact
| |
| Martin Jay 2006-04-28, 7:05 pm |
| In message <XMednXc-99BGnM_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry Stuckle
<jstucklex@attglobal.net> writes
>Martin Jay wrote:
[color=darkred]
>Do this and you will be ripe for becoming a spam relay. At a minimum
>you need to ensure there are no newline characters in the input.
Please explain why.
--
Martin Jay
| |
| Jerry Stuckle 2006-04-28, 7:05 pm |
| Martin Jay wrote:
> In message <XMednXc-99BGnM_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry Stuckle
> <jstucklex@attglobal.net> writes
>
>
>
>
>
> Please explain why.
Google "Email injection" for a lot more info. But basically - the user could
enter something like:
This is a spammer subject
bcc: john@example.com, tom@example.com
And so on. Quit easy to do - and used by a lot of spammers. Unsecured scripts
are used by a lot of spammers. Try another search on
spam formmail
And see what pops up.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
|
| Martin Jay <martin@spam-free.org.uk> wrote:
>In message <4be9oiF10q7viU1@individual.net>, Paul Watt
><paulioNOSPAM@wattio.freeserve.co.uk> writes
>
>
>
>Okay, that's good.
>
>So in your HTML you'll have something like the:
>
><select name="subject">
> <option value="Subject 1" SELECTED>Subject 1</option>
> <option value="Subject 2">Subject 2</option>
> <option value="Subject 3">Subject 3</option>
></select>
>
>Just POST that off to your PHP script and then use the mail command:
>
>$subject = $_POST['subject'];
>
>/* It's probably a good idea to include this so you don't end up with '
>and \" in the subject */
>
>$subject = stripslashes($subject);
>
>mail($to, $subject, $message);
Just don't forget to validate the user's input. Here's an example:
if (strcmp(htmlentities($input),$input)!=0)
// there is html in the input
if (strpos($address, "\r")!==false || strpos($address, "\n")!==false)
// email injection uses newlines to add things like bcc
Don't let your site become a spam relay station. Don't take my word
for it, do a little digging and make sure your code is covering all
the bases.
--
http://www.ren-prod-inc.com/hug_sof...?action=contact
| |
|
| Martin Jay <martin@spam-free.org.uk> wrote:
>In message <XMednXc-99BGnM_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry Stuckle
><jstucklex@attglobal.net> writes
>
>
>Please explain why.
I had a link to what seemed a pretty straightforward explanation, but
on checking it this morning it seems the link no longer resolves. In
case it's a matter of some intermediate node being temporarily down,
the link is http://securephp.damonkohler.com/in...Email_Injection
A google web search using the phrase "email injection" will bring up
plenty of explanations. Spammers love sites where there are email
forms with no validation.
--
http://www.ren-prod-inc.com/hug_sof...?action=contact
| |
| Martin Jay 2006-04-28, 7:06 pm |
| In message <ve-dnQNo9JQ-ms_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry Stuckle
<jstucklex@attglobal.net> writes
>Martin Jay wrote:
[color=darkred]
[color=darkred]
>Google "Email injection" for a lot more info. But basically - the user
>could enter something like:
>
> This is a spammer subject
> bcc: john@example.com, tom@example.com
>
>And so on. Quit easy to do - and used by a lot of spammers. Unsecured
>scripts are used by a lot of spammers. Try another search on
>
> spam formmail
>
>And see what pops up.
I (think) I understand the principle, but I cannot replicate it.
The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
'bcc' fields in its header, which is isn't. Well, not until it reaches
its destination, maybe.
I emailed Paul an example script earlier. I've also uploaded it to:
<http://www.spam-free.org.uk/pages/email_test.php>.
I would be interested to see how the spamming technique you mention can
be used with it. I have changed the form method from POST to GET to
make it easier to 'hack.'
--
Martin Jay
| |
| Jerry Stuckle 2006-04-28, 10:50 pm |
| Martin Jay wrote:
> In message <ve-dnQNo9JQ-ms_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry Stuckle
> <jstucklex@attglobal.net> writes
>
>
>
>
>
>
>
> I (think) I understand the principle, but I cannot replicate it.
>
> The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
> 'bcc' fields in its header, which is isn't. Well, not until it reaches
> its destination, maybe.
>
> I emailed Paul an example script earlier. I've also uploaded it to:
> <http://www.spam-free.org.uk/pages/email_test.php>.
>
> I would be interested to see how the spamming technique you mention can
> be used with it. I have changed the form method from POST to GET to
> make it easier to 'hack.'
Either way. I just make a local copy of your form, edit it to add the headers I
want, and post it back to you. For instance, I place in the subject field:
This is spam
bcc: someone@example.com
And off it goes. The more fields I add, the more I'm sending.
Not hard at all.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Martin Jay 2006-04-28, 10:50 pm |
| In message <o86dnYXPebLANc_ZnZ2dnUVZ_s-dnZ2d@comcast.com>, Jerry Stuckle
<jstucklex@attglobal.net> writes
>Martin Jay wrote:
[color=darkred]
[color=darkred]
[color=darkred]
>Either way. I just make a local copy of your form, edit it to add the
>headers I want, and post it back to you. For instance, I place in the
>subject field:
>
> This is spam
> bcc: someone@example.com
>
>And off it goes. The more fields I add, the more I'm sending.
>
>Not hard at all.
Hmmm...
I've replaced the page I mentioned earlier with one that allows you to
download a copy of the form script.
Put it on your local server and try your theory out.
I cannot replicate the problem you highlighted. :(
--
Martin Jay
| |
| Martin Jay 2006-04-29, 6:53 pm |
| In message <NvafPKMsohUEFwZK@spam-free.org.uk>, Martin Jay
<martin@spam-free.org.uk> writes
>The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
>'bcc' fields in its header, which is isn't. Well, not until it reaches
>its destination, maybe.
This is incorrect. Email *IS* sent to email addresses listed in the
'to,' 'cc,' and 'bcc' fields of the header.
--
Martin Jay
| |
| Toby Inkster 2006-04-29, 6:53 pm |
| Jerry Stuckle wrote:
> Do this and you will be ripe for becoming a spam relay. At a minimum you
> need to ensure there are no newline characters in the input.
It's more the fourth parameter where you're likely to run into trouble. Of
course it doesn't hurt to treat the subject line with a bit of suspicion
too.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Now Playing ~ ./who/baba_oriley.ogg
| |
|
| Martin Jay <martin@spam-free.org.uk> wrote:
>In message <NvafPKMsohUEFwZK@spam-free.org.uk>, Martin Jay
><martin@spam-free.org.uk> writes
>
>This is incorrect. Email *IS* sent to email addresses listed in the
>'to,' 'cc,' and 'bcc' fields of the header.
Does that imply that you have successfully "hacked" your site?
--
http://www.ren-prod-inc.com/hug_sof...?action=contact
| |
| Jerry Stuckle 2006-04-29, 6:53 pm |
| Martin Jay wrote:
> In message <o86dnYXPebLANc_ZnZ2dnUVZ_s-dnZ2d@comcast.com>, Jerry Stuckle
> <jstucklex@attglobal.net> writes
>
>
>
>
>
>
>
>
>
> Hmmm...
>
> I've replaced the page I mentioned earlier with one that allows you to
> download a copy of the form script.
>
> Put it on your local server and try your theory out.
>
> I cannot replicate the problem you highlighted. :(
Martin,
Sorry, I have too many other things to do than to download scripts and test them
on my server. I gave you the references and some suggestions. I really don't
wish to spend the time "proving to you I'm right".
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Martin Jay 2006-04-29, 10:56 pm |
| In message <6gk6521fo3eopv7nn5df5mfb6mcc1s6vn4@4ax.com>, hug
<contact_info@sig_line.clickit> writes
>Martin Jay <martin@spam-free.org.uk> wrote:
[color=darkred]
[color=darkred]
>Does that imply that you have successfully "hacked" your site?
No.
After further reading I realized that the information I posed was
incorrect. I corrected my mistake in case anyone else relied on the
wrong information I had posted.
I still haven't seen an example of headers being injected into an email
sent by PHP's mail() function, despite it being "quite easy to do."
I have Googled and recreated many of the examples I've found, but cannot
reproduce the "hack." Perhaps it's related to older versions of PHP.
--
Martin Jay
| |
| Jerry Stuckle 2006-04-29, 10:56 pm |
| Martin Jay wrote:
> In message <6gk6521fo3eopv7nn5df5mfb6mcc1s6vn4@4ax.com>, hug
> <contact_info@sig_line.clickit> writes
>
>
>
>
>
>
>
> No.
>
> After further reading I realized that the information I posed was
> incorrect. I corrected my mistake in case anyone else relied on the
> wrong information I had posted.
>
> I still haven't seen an example of headers being injected into an email
> sent by PHP's mail() function, despite it being "quite easy to do."
>
> I have Googled and recreated many of the examples I've found, but cannot
> reproduce the "hack." Perhaps it's related to older versions of PHP.
It has nothing to do with the version of PHP. It has everything to do with the
security of YOUR code.
If you believe your form is hack-proof, fine. But don't go crying to anyone
else when your site is used as a spam relay, your ISP is blacklisted and you get
kicked off their servers.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
|
|
|
| | Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |
|