Re: Automatic Form processor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 20/10/2004, at 12:42 PM, Lone Wolf wrote:

I am in need of a PHP script that will take any POST data and parse it into
a file and email it out to users. The data needs to be completely
changeable, whether I have 20 items or 400, I just want to throw everything
to the script via POST and let it take the POST information and manipulate
it. 

As Dan has already said, something like this is what you need:

foreach ( $_POST as $key => $value )
{
   if ( substr( $key, 0, 4 ) == "quest" )
      echo "$value: $key\n";
}

HOWEVER, this leaves your script wide open to security issues, because you're placing all the power in the HTML form, rather than on the sever-side PHP script.

Since your PHP script has no idea what sort of data it will receive, you can't do any validation of the content, so you're assuming whatever data the form submits cam be trusted. The problem with assumptions is that they're nearly always flawed.

For example, I could write my own form which POSTs to your PHP script with my own field names and fill it with all sorts of garbage, hack attempts, and whatever else... your PHP script would "trust" it all, and them send it out to a bunch of people via email without any checking whatsoever.

I'm not enough of a security expert to offer any working examples, but for starters, it sounds like a nice way for a spammer to reach your recipient list.


So, what can you do about it?


Perhaps nothing -- it depends on how much work you want to put in, and what sort of security return you'll get for your time. Matt's FormMail.pl script is one of the most popular scripts running on the web, and was designed to allow the HTML form to drive the Perl script. It has some huge glaring security holes in it which are well documented over the web, and widely abused by spammers -- you might want to read-up on it before walking down the same path.

The way I see it, you have the same problem -- the HTML form is driving the PHP script, rather than the other way around. If it was me, and I wanted everything locked down as much as possible, I'd keep a PHP array for each form which describes the expected fields and what sort of values are expected (like limiting the number of characters).

If you don't want the form author to have to write PHP arrays, then you'd need a bad-ass HTML parser which parsed the form to "learn" what was expected and allowed -- lots of work though.


If the HTML writer can be bothered writing a few lines of PHP, you could get a lot more secure.


Justin French

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux