[swx] simple mail w/ swx

Aidann Bowley aidann at ukgateway.net
Thu Dec 20 09:42:58 PST 2007 

You might also want to add some code to guard against things like email 
injection attacks too.

http://www.securephpwiki.com/index.php/Email_Injection

Aidann

----- Original Message ----- 
From: "Aral Balkan" <aral at aralbalkan.com>
To: "SWX Mailing List" <swx at osflash.org>
Sent: Thursday, December 20, 2007 4:07 PM
Subject: Re: [swx] simple mail w/ swx


Yep, so this was what I was afraid of :)

This will open your server to abuse by anyone who knows your gateway (anyone
can send any email, pretending to be anyone else).

Off the top of my head, things you can do:

Hard code the sender_email to the one that you want for the application.

Beyond that, if you know the type of messages you're going to send out, you
could keep those on the server.

Perhaps one thing that can be done is to have SWX make the _url of the SWF
available to services so they can limit by calling URL. This can be spoofed
but would be one additional step to make it more difficult for the casual
hacker.

Other thoughts?

Aral

On Dec 20, 2007 3:55 PM, Corban Baxter <corbanb at gmail.com> wrote:

> sure that would be great. here is what he put together quickly for me last
> night...
>
>
> ////////////// START PHP
>
> <?
> /**
>  * Simple mail
>  *
>  * @author Rob Edgell < rob at myedgenet.com>
>  * @version 1.0
>  */
>
> class swxSimpleMail {
>
>     /**
>      * Take input fields and mail them. Returns an error if email is not
> valid
>      *
>      * @param string fname
>      * @param string lname
>      * @param string $phone_num
>      * @param string $comments
>      * @param string $user_email
>      * @param string $sender_email Who you want the email to be from
>
>      * @return mixed
>      **/
>     public function sendMail($fname, $lname, $phone_num, $comments,
> $user_email, $sender_email) {
>         if ($this->_validateEmail($user_email) == false) {
>             return -1;
>         }
>
>         $body="<b>First Name: </b>".$fname."<br />"
>              ."<b>Last Name: </b>".$lname."<br />"
>              ."<b>Email Address: </b>".$user_email."<br />"
>              ."<b>Phone Number: </b>".$phone_num."<br />"
>              ."<b>Comments: </b><br />".$comments."<br />";
>
>         $headers = "From: ".$sender_email." \r\n";
>         $headers .= "Content-Type: text/html; charset=ISO-8859-1 ";
>         $headers .= "MIME-Version: 1.0 ";
>
>         mail($sender_email, "Contact form message", $body, $headers);
>
>         return 1;
>
>     }
>
>     private function _validateEmail($email) {
>         $pattern =
> '/^(([^\\.,;:\s@\"<>()[\]]+(\.[^\\.,;:\s@\"<>()[\]]+)*)|(\".+\"))@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})$/i';
>
>
>         if ( ! preg_match($pattern, $email) ) {
>             return false;
>         }
>
>         return true;
>     }
> }
>
> ?>
>
> ////////////////////// END PHP
>
> I would of never thought about the ability for others to use it for spam
> purposes. Thanks for the help guys!
>
>
>
>
> On Dec 20, 2007 9:23 AM, Aral Balkan <aral at aralbalkan.com> wrote:
>
> > Hi Corban,
> >
> > The only thing to keep in mind is to have security checks in place so
> > that your server doesn't get used as a spam hub. If you don't mind 
> > sharing
> > the code, we can all take a look at it and see if there are any security
> > issues to deal with.
> >
> > Take care,
> > Aral
> >
> > On Dec 20, 2007 3:19 PM, Corban Baxter <corbanb at gmail.com > wrote:
> >
> > > i got a good friend of mine to help me last night create one if anyone
> > > else is interested I can pass it along.
> > >
> > >
> > > On Dec 19, 2007 7:56 PM, Stefan Dosch < sd at liquidlounge.de > wrote:
> > >
> > > > Email Validation:
> > > >
> > > > returns true if email adress is valid or false if email adress is
> > > > invalid.
> > > > This not only checks for correct syntax, but also tests if the
> > > > domain
> > > > is registered, so somepeep at jasdklaklsdfsdfsd.com would return false
> > > > although syntax is correct, but the domain would not respond to
> > > > getmxrr().
> > > >
> > > >        function validate_email($email)
> > > >        {
> > > >           $regexp =
> > > > "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]
> > > > +)*(\.[a-z]{2,4})$";
> > > >           $valid = false;
> > > >           if (eregi($regexp, $email))
> > > >           {
> > > >                  list($username,$domaintld) = split("@",$email);
> > > >                  if (getmxrr($domaintld,$mxrecords))
> > > >                         $valid = true;
> > > >           } else {
> > > >                  $valid = false;
> > > >           }
> > > >           return $valid;
> > > >        }
> > > >
> > > > htht
> > > > Stefan
> > > >
> > > >
> > > > --
> > > > Liquidlounge
> > > > Stefan Dosch
> > > > Perlschneiderstrasse 34
> > > > 81241 München
> > > >
> > > > tel: +49 89 55274994
> > > > fax: +49 89 55274993
> > > > mobil: +49 160 90554762
> > > > mailto: sd at liquidlounge.de
> > > > http://www.liquidlounge.de
> > > >
> > > >
> > > >
> > > > Am 19.12.2007 um 20:57 schrieb Corban Baxter:
> > > >
> > > > > Hey guys has anyone created a simple send email service for SWX?
> > > > I'm
> > > > > no PHP programmer and I was wanting to use SWX for my email forms.
> > > > > Just sending like first name, last name, email, phone, comments,
> > > > > etc. I really want to use it to like return errors of bad emails
> > > > or
> > > > > something. Does anyone have a service like this they might share
> > > > > with me?!?! Please! ;)
> > > > >
> > > > > --
> > > > > -cb _______________________________________________
> > > > > swx mailing list
> > > > > swx at osflash.org
> > > > > http://osflash.org/mailman/listinfo/swx_osflash.org
> > > >
> > > >
> > > > _______________________________________________
> > > > swx mailing list
> > > > swx at osflash.org
> > > > http://osflash.org/mailman/listinfo/swx_osflash.org
> > > >
> > >
> > >
> > >
> > > --
> > > Corban Baxter
> > > http://www.projectx4.com
> > >
> > > _______________________________________________
> > > swx mailing list
> > > swx at osflash.org
> > > http://osflash.org/mailman/listinfo/swx_osflash.org
> > >
> > >
> >
> > _______________________________________________
> > swx mailing list
> > swx at osflash.org
> > http://osflash.org/mailman/listinfo/swx_osflash.org
> >
> >
>
>
> --
> Corban Baxter
> http://www.projectx4.com
>
> _______________________________________________
> swx mailing list
> swx at osflash.org
> http://osflash.org/mailman/listinfo/swx_osflash.org
>
>



--------------------------------------------------------------------------------


> _______________________________________________
> swx mailing list
> swx at osflash.org
> http://osflash.org/mailman/listinfo/swx_osflash.org
>

More information about the swx mailing list