Nigel Peck wrote:
Gunnar Hjalmarsson wrote:
Nigel Peck wrote:
I'd appreciate hearing (reading!) people's thoughts on making web
form data safe for using to compose an email via sendmail.
Basically, see comments in pseudo-code below, what should I be doing
to the data to make it safe?
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
use strict;
use CGI;
my $query = new CGI;
my $example_data = $query->param('some_form_item');
It depends. If you are going to send a plain text message, and the
user submitted data is only used in the body of the message, I can't
think of anything particular. OTOH, if one or more parameter is
intended for the message headers, there are a few things to consider.
Thanks for getting back to me.
For the body of the message, one thing that occurs to me is \n.\n as
that would end the message? But presumably nothing else could be entered
after that as sendmail would close?
True. But that's not exactly a security issue, right?
So there's nothing that they could "inject" and compromise security in
any way?
Not as far as I know.
For the header, other than newlines, what should I consider?
Not quite sure of what you mean. In CGI::ContactForm (the module I'm
using for the contact form you see if you click the link below) I do
something like:
for ( [ user data for inclusion in message headers ] ) {
s/^\s+//;
s/\s+$//;
s/\s+/ /g;
}
That wipes out all attempts to include newlines.
Besides that you may want to validate possible email addresses. And
please think twice before you let the users submit anything to "To:",
"Cc:" or "Bcc:".
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
