How about limiting the ammount of data sent, and then .. accepted?
You can for one do the basic things.. which is.. in the html - set a limit to chars taken.. for example:
...m action="./cgi-bin/take_comments.cgi" method="post" name="WriteUsF +orm"> Your Name:<br /> <input name="1-From" type="text" size="35" maxlength="35"/><br /> Your E-Mail Address:<br /> <input name="2-Sender's Email" type="text" size="35" maxlength="35"/>< +br /> Subject:<br /><input name="3-Subject" type="text" size="50" maxlength +="50"/><br /> Your message:<br /> <textarea name="4-Message" cols="35" rows="7" maxlength="255"></textar +ea>
This will prevent basic users from making some mistakes perhaps.. Now.. this limits *this* html snip from submitting more then a certain ammount of chars for some fields. But- for the real troubelmakers.. you do not know where the form data came from, so ... you use basic tools like javascript and html for limits, some syntax checking.. and basic stuff... like tellign the user with javascript alerts things like "you forgot to enter first name!" -- and that's all good. But your script taking the user input MUST assume the data awas sent from Hell by Satan Himself.
That takes us to part two .. accepting the data received...
#you got this.. foreach (sort keys %user_data) { print OUT substr($_, 1, 200),"\n"; print OUT "$user_data{$_}\n" }
how about ...
for (keys %user_data) { # basically just ripping some junk out $user_data{$_}=~s/[<>|\/\&\(\)\;\`]/ /g; } # and then... whatever you want.. foreach (sort keys %user_data) { print OUT substr($_, 1, 200),"\n"; print OUT "$user_data{$_}\n" }
This is a loose hack .. that's all.. just strips out some junk. Very basic - just an example to give you an idea. For some real world stuff.. you should be predetermining every input variable that will be accepted.. and what it will contain!! use CGI::Validate - it's really nice.. you can tweak the heck out of it.. that is.. tell it what exactly you want each data field to have or not have,.. and how much to freak out if what happens.. like.. if extra fields are submitted.. ban the freaking ip and send a notice to the admin.. :) !
I had some pain in the ass integrating it but.. it lets you do great things. If you want examples i can send you some.. of passing stuff to it... whatever.
Be schizo about accepting form data. Be very very affraid. Always expect Satan is on his period.. and sitting at a shell prompt pinging your a55- and he's not using a browser to submit form data. Be parannoid.. and you will ultimately avoid a lot of *other* problems.. by being secure.. you avoid "mistakes".. security is not just about protecting from an attacker.. it's also protecting against mistakes and innocent erroneous data.. :) .. enough of me. Good luck. Take a look at CGI::Validate.
In reply to Re: Some Loser is trying to spam MY script!?! What do I do?
by leocharre
in thread Some Loser is trying to spam MY script!?! What do I do?
by BubbaMonk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |