[thelist] Email header injection

Kasimir K evolt at kasimir-k.fi
Fri Nov 11 16:45:29 CST 2005

Noah St. Amand scribeva in 2005-11-11 17:40:
> 1. setting a hidden variable in the form, 

How about creating an unique id each time the form is requested, saving 
that id in a db and putting it also in the form in a hidden field. When 
a POST request is received the value of the hidden field must be found 
in the db or the script exits.

As the bot only makes the submitting request it can't have a correct 
value for the hidden field, however clever it is.

Even for forms that don't put any user input in the mail message's 
headers, this approach would save the annoyance of receiving the attempts.


More information about the thelist mailing list