Sandy Keathley wrote:
My company uses a home-grown formmail script for clients
<groan>, and someone is using curl to inject HTTP headers and
spam email addresses, and turn it into an open relay. Yes, I know
1. cut out the ability for the poster (form submitter) to determine who is addressed.
2. strip out anything thst looks like its trying to be a mail 'field' in submitted
content.
3. use a CAPTCHA.
4. ask the 'Zend Certified Engineer' in your office???
the right answer is to not use a formmail, but I don't make the rules
here.
Is there a way to detect that a script is being accessed by curl, and
not by a browser? ENV ($_SERVER) variables won't work, as
those can be forged.
no. the webserver only sees the incoming request - given that what
is sent (the _complete_ request) is totaly up to the client how could you
possibly tell who/what sent the request (other than trusting the client that
its telling the truth)?
granted there may be ways (hackish or not) to make some kind of determination
as to the legitimacy of the client - but that is probably in the realm of
"if you have to ask .... "
Thanks.
Sandy Keathley
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
