Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7

Thread: validation

  1. #1
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts

    validation

    Hi

    I am receiving some post data; name, telephone number and address and i just wondered what sort of validation i should do before i send it to an email address. I have put an is_numeric function in for the telephone number but other than that I can't think
    You can not say you know how to do something, until you can teach it to someone else.

  • #2
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    htmlspecialchars() will stop javascript and VBscripts, you should probably pass everything through that.

    Another worry is email-header injection where your form is altered to send emails to other address's as well as the original, how likely this is to happen depends on where the data used in 'To/recipient' comes from, same for other email headers, google for more info on this.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #3
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Address validation is a multi-gazillion dollar industry (i.e. group 1 and the like) but you probably just want to make sure the field's not empty, unless having a valid address is critical to the success of your business.

    You want to make sure the phone number is the right number of digits and trim out any ('s )'s or -'s they enter (just store the numbers).

    Name validation is about the same as address validation; just making sure the field isn't empty is about all you can reasonably do unless you get into that multi-gazillion dollar industry again.

  • #4
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    OK that all sounds reasonable, thank you!
    You can not say you know how to do something, until you can teach it to someone else.

  • #5
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    No , you really need to google for email-header injection e.g. if the user can pass an email address and you only check if it is not empty it is then possible for a spammer to pass multiple recipients via that field ,

    e.g. someone might pass an email address such as .. (example from http://www.securephpwiki.com/index.php/Email_Injection)
    Code:
    sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #6
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Hi thanks for your comments

    Fire pages the script actually will only ever send the email to the mail server, which will be records for the staff at Southern Bridges. Therefore the to string is predefined. However the telephone number, address and name will make up the subject and body part. As for the header string should I leave that out or should just use a predefined string?

    I presume theres no worry of injections through the subject and body part of the script?
    You can not say you know how to do something, until you can teach it to someone else.

  • #7
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    There is still the possibility of injecting through the subject field since that is sent directly to the mailserver as an email header

    my subject%0ATo: recipient@someothersite.xxx

    The body should be safe from injection code since it is sent after the email headers ..still worth checking for other <script> exploits though.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •