Re^2: Perl script calling in another Perl script

Hi

I actually have my email submission written in a Perl script. I hesitate to use it because I'm not sure if it is secure enough from people using the form for SPAM.

If you would like, and I would be greatly appreciative, you can look at my email code and let me know what you think about the security issue. I could use some guidance. I'm fairly new to Perl so I know there's a lot to learn.

I'm trying to be responsible with my coding so innocent people are hassled.

I only posted the code up to the email confirmations. The rest of the code is an HTML page for confirming the registration as well as the paying online subroutine.

Here's my code:

#!/usr/bin/perl -Tw

use CGI qw(:standard);
use strict;
use lib qw(/home/brmaster/www/);
use CGI::Carp qw(fatalsToBrowser);
use CGI qw(:standard escape escapeHTML);
use Mail::Sendmail;

my ($player, $parent, $memberid, $phone, $email, $dates, $event, $stre
+et, $city, $state, $zip, $payment, $message);

$player = param("player");
$parent = param("parent");
$memberid = param("memberid");
$phone = param("phone");
$email = param("email");
$dates = param("dates");
$event = param("event");
$street = param("street");
$city = param("city");
$state = param("state");
$zip = param("zip");
$message = param("message");
$payment = param("payment");

print header,
start_html "\n";

my $choice = param ("choice");    

if (($choice eq "Submit") && ($payment eq "Please bill my Bridgemill a
+ccount")|| ($payment eq
      "Prefer to mail payment with this form"))            
{
    send_confirmation_email ();
      reg_form_info_page ();
      send_submit_email ();
     
}
elsif (($choice eq "Submit") && ($payment eq "Pay online with credit c
+ard"))
{
    send_confirmation_email ();
      send_submit_email ();
      paypal_page ();
}

else
{
    print p ("Logic error, unknown choice: $choice");
}

#@ SEND_CONFIRMATION_EMAIL
sub send_confirmation_email
{
my %mail = (
        From     => "support\@bridgemilltennis.com",        # YOU SHOU
+LD CHANGE THIS!
        To         => $email,
        Subject => "Registration for Power Tennis Summer Camp Submitte
+d",
        Message => ""
);
my $page;

        $mail{Message} = <<EOF;
Thank you for registering for the BridgeMill Power Tennis Summer Camp.
  
This is the information you submitted.

Player's Name:  $player
Parent's Name: $parent
Telephone: $phone
Email Address: $email
Camp Date(s): $dates
Event: $event
Street:  $street
City: $city
State:  $state
Zip Code:  $zip
Method of Payment:  $payment

Message:  $message


EOF

    sendmail (%mail)
        or $page .= p (escapeHTML ("Oops, failure sending mail to $mai
+l{To}"));

    return (defined ($page) ? $page : "");
}
#@ SEND_CONFIRMATION_EMAIL



#@ SEND_SUBMIT_EMAIL
sub send_submit_email
{
my %mail = (
        From     => $email,
        To     => "support\@bridgemilltennis.com",    # YOU SHOULD CHA
+NGE THIS!
        Subject => "Power Tennis Summer Camp Registration Submitted",
        Message => ""
);
my $page;

        $mail{Message} = <<EOF;

The following player, $player, has submitted the Power Tennis Summer C
+amp registration form.

Player's Name:  $player
Parent's Name: $parent
Telephone: $phone
Email Address: $email
Camp Date(s): $dates
Event: $event
Street:  $street
City: $city
State:  $state
Zip Code:  $zip
Method of Payment:  $payment

Message:  $message

EOF

    sendmail (%mail)
        or $page .= p (escapeHTML ("Oops, failure sending mail to $mai
+l{To}"));

    return (defined ($page) ? $page : "");
}
#@ SEND_SUBMIT_EMAIL
[download]

Comment on Re^2: Perl script calling in another Perl script Download Code

Replies are listed 'Best First'.
Re^3: Perl script calling in another Perl script by beachbum (Beadle) on Feb 15, 2006 at 17:00 UTC
Using a email module like NET::SMTP or your example above can provide a more secure solution for you. If you primary concern is to prevent spam: Don't have an smtp server running unless your are hosting your own and know what you're doing. Hard code the email addresses (to address and from address) in your script rather than allowing user controlled inputs. This way, even if someone does abuse the script, they won't be able to specify where the email is going. Make sure that the only interface to your mailer is a web page. Worst case, if some script kiddie is spamming your box with mail, you have the weblogs and can have his isp to turn off the account.	[reply]

Replies are listed 'Best First'.

Re^3: Perl script calling in another Perl script
by beachbum (Beadle) on Feb 15, 2006 at 17:00 UTC

Using a email module like NET::SMTP or your example above can provide a more secure solution for you.

If you primary concern is to prevent spam:

Don't have an smtp server running unless your are hosting your own and know what you're doing.
Hard code the email addresses (to address and from address) in your script rather than allowing user controlled inputs. This way, even if someone does abuse the script, they won't be able to specify where the email is going.
Make sure that the only interface to your mailer is a web page. Worst case, if some script kiddie is spamming your box with mail, you have the weblogs and can have his isp to turn off the account.

[reply]