in reply to Perl script to send form data via email

Sorry, but your script has hideous security holes and will be easily subverted to send spam.

Please use a form mailer script like the NMS Formmail Script, which has been vetted.

Why are you using CGI and still doing manual parameter decoding in your parse_form_data subroutine? Simply use CGI::param() instead.

Your handling of form parameters opens up lots of backdoors to send spam, because it is very easy to embed newline characters (or other characters relevant to the protocol how sendmail expects it) into for example the $from variable. This is a large security hole that will likely put your machine onto a mail blacklist within a few days. To fix that, you need to verify that all your input data is as you expect it to be, especially that your $from email address does only contain the characters you expect. Possibly, only allowing /[-+\@.\w]+/ would be a crude yet effective filter.

Your copy-and-paste of the source code used weird "matching" quotes that Perl 5 does not understand.

Replies are listed 'Best First'.
Re^2: Perl script to send form data via email
by gugubanana (Acolyte) on Jun 24, 2008 at 11:29 UTC
    Thanks Corion, for your feedback. i understand where i am going wrong so i am going to be making the necessary changes to make this secure. thanks again! ps: i will try to remove this post so that other do not use it
[reply]

      I don't think it should be removed, and have approved it, because I think that learning what *not* to do is highly important. I suggest adding an informative description above your code, and when you have a fixed solution, add it to this post as well (Although, in hindsight, this should've been in Seekers rather than in CUFP...)

      Stop saying 'script'. Stop saying 'line-noise'.
      We have nothing to lose but our metaphors.

[reply]

In Section Cool Uses for Perl