As I said in my last post,
I'm hardly what you'd call
a PHP expert.
So, it's back to school again.
I'm studying the script found
here:
PHP MAIL FORM V2
In my last post, I took a quick
look at this script:
Installing a PHP Form Mail Script
I liked the script when I first
saw it because it seems to be
a very security conscious script.
I notice right away that it has
lots of buffer overflow protection.
This is good!
Buffer overflow protection makes
it hard for outsiders to change
the code in your script by
writing long input strings when
submitting a form.
This is one of the basic techniques
of evil people. They alter the
purpose and intent of your script by
overflowing input buffers to the
point where they have altered the
script itself.
Not much of an explanation. Suffice
it to say that such a thing is possible.
Here's a Wikipedia article that explains
buffer overflow much better:
Buffer Overflow
I notice that this script puts careful
limitations on the length of input
data.
In the code, look for the strlen()
function. This seems to be where the
the limitation on string length is
implemented.
Here's an example:
As of this writing, the length of comments
is limited to 1500 characters. For
someone trying to introduce a security
compromise in this script, this is a
severe limitation.
Here, for example, is the element of the
$_POST associative array that
contains the comments input by the web
visitor:
$_POST['comments']
Here's some PHP documentation for the
$_POST associative array:
PHP $_POST Associative Array
Apparently $_POST is used to retrieve
environment variables.
In any HTML Form, you can set your
method to post. This is a
method for passing form information
to your form processing program.
When you do this, you are basically
setting variables in the shell
environment. Since the shell environment
variables are common to both the form
and the program that processes the form,
information can be passes this way.
I think of the shell environment variables
as little buckets of information that
can be shared and altered by more than
one program.
I assume that the name of the associative
array, $_POST, implies that you
are using the post method mentioned
above.
OK. I'll look at this script again later.
This appears to be a very useful script.
Ed Abbott
Monday, January 18, 2010
Friday, January 8, 2010
Installing a PHP Form Mail Script
OK. This is a new blog.
I don't really consider myself
a PHP expert at all. Essentially,
I'm writing as I learn.
On this occasion, I'm writing
about installing a script that
I can use as a form mailer.
Here's a script that should do
the trick:
PHP MAIL FORM V2
This looks like a good one.
It especially looks good because
it is very very security conscious.
I'm going to give it a try.
OK. Here are a couple of things
I notice right off:
Why do you need to change the name
of the file to something with a
.php on the end of it?
Because most web servers do not parse
a file for PHP code unless you
explicitly say it is a php file
by adding the .php extension.
There are ways to make the web
server behave differently than
this, but this is beyond the scope
of this blog post.
Most people depend on a .php
extension to turn their file
into a PHP program that actually
runs.
Looks like this script does not
offer SMTP authentication. I
need SMTP authentication because
the web server I'm working on
does not allow me to set up my
own email account that I can check.
I know. I know. That's weird but
that's the way it is.
Hmmm. Maybe I'll come back to
this one later.
I like the script in general. It's
just not going to meet my needs at
this time.
It's weird but I need SMTP authentication
so that I can use my mail server and
my personal email address to check
that things are working properly
After everything checks out OK, I'll
switch the email address to the
permanent email address, the one I
do not have access to.
Ed Abbott
I don't really consider myself
a PHP expert at all. Essentially,
I'm writing as I learn.
On this occasion, I'm writing
about installing a script that
I can use as a form mailer.
Here's a script that should do
the trick:
PHP MAIL FORM V2
This looks like a good one.
It especially looks good because
it is very very security conscious.
I'm going to give it a try.
OK. Here are a couple of things
I notice right off:
- You need to change the name of
your script to something.php.
The .php is important! - You need to give the script
an email address. You do this
by filling in the $yourEmail
in with a valid email address in
which you'd like to receive the
email.
Why do you need to change the name
of the file to something with a
.php on the end of it?
Because most web servers do not parse
a file for PHP code unless you
explicitly say it is a php file
by adding the .php extension.
There are ways to make the web
server behave differently than
this, but this is beyond the scope
of this blog post.
Most people depend on a .php
extension to turn their file
into a PHP program that actually
runs.
Looks like this script does not
offer SMTP authentication. I
need SMTP authentication because
the web server I'm working on
does not allow me to set up my
own email account that I can check.
I know. I know. That's weird but
that's the way it is.
Hmmm. Maybe I'll come back to
this one later.
I like the script in general. It's
just not going to meet my needs at
this time.
It's weird but I need SMTP authentication
so that I can use my mail server and
my personal email address to check
that things are working properly
After everything checks out OK, I'll
switch the email address to the
permanent email address, the one I
do not have access to.
Ed Abbott
Subscribe to:
Comments (Atom)