Re^2: Sending a mail with Perl, nah.. the same and same question...

Replies are listed 'Best First'.
Re^3: Sending a mail with Perl, nah.. the same and same question... by MidLifeXis (Monsignor) on Mar 29, 2012 at 12:25 UTC
To reinforce what has been said by Corion and marto: never, ever trust input from the client. Validation done on the client side is only to optimize the input loop by reducing the number of round trips needed to the server. Assume that you client can (and will if you are really paranoid) put anything on the wire that they wish. I have had to fight the attitude that 'we are not dealing with smart hackers here' when doing code audits (previous life), and was constantly amazed at the lack of concern shown toward basic application security. --MidLifeXis	[reply]
Re^4: Sending a mail with Perl, nah.. the same and same question... by heatblazer (Scribe) on Mar 29, 2012 at 14:14 UTC
I don`t need a tutorial, just a simple guideline, that was sufficient, I`ll keep in the security direction from now on and stress on serverside instead of js. Thank you all for being verbose here.	[reply]
Re^5: Sending a mail with Perl, nah.. the same and same question... by MidLifeXis (Monsignor) on Mar 29, 2012 at 14:20 UTC
Do not misapply what I was saying. Security is a mindset, not just a bolt-on solution. It is not just a matter of doing validation on the server-side. It is a matter of trust, good programming practices, knowing what code you are running, and a plethora of other things. --MidLifeXis	[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.
Re^3: Sending a mail with Perl, nah.. the same and same question... by Corion (Patriarch) on Mar 29, 2012 at 11:10 UTC
A spammer will not run Javascript but talk directly to your mail sending script. The most important checks are the checks run on the server. You should really consider using the premade formmail script instead of rolling your own. Client-side validation will break as soon as somebody has Javascript disabled (like me) or does not even use a browser to send data (like a spammer).	[reply]
Re^3: Sending a mail with Perl, nah.. the same and same question... by marto (Cardinal) on Mar 29, 2012 at 11:08 UTC
So what's to stop someone writing a script to submit data to this server side script, bypassing your JavaScript?	[reply]
Re^4: Sending a mail with Perl, nah.. the same and same question... by heatblazer (Scribe) on Mar 29, 2012 at 11:17 UTC
Can you give some example for malicious scripts? And how to check it or block it?	[reply]
Re^5: Sending a mail with Perl, nah.. the same and same question... by marto (Cardinal) on Mar 29, 2012 at 11:27 UTC
A famous expolitable formmail script would be formmail.pl from Matt's_Script_Archive, this entry provides links to articles discussing how formail.pl could be exploited. For an alternative see http://nms-cgi.sourceforge.net/, which also has further discussion of the problems and solutions. See Ovid's CGI Course for web based security do's and dont's, as well as Web Programming from the tutorials section of this site. Update: Fixed link to tutorials, thanks Corion.	[reply]