Jump to content

Recommended Posts

Posted (edited)

I recently started collecting email addresses just for this purpose... but I know that lots of folks at TCH use the script and grabbed their code before I collected emails.

 

This info is important and I have no way of contacting you other than to post it here.

 

What will soon follow is a post in my support forums.

 

I also want to let you know that some major changes have gone on and we're now on version 2.4 with lots of bells and whistles, upgrades to error reporting and stability.

 

But another major change is that the code is now no longer transparent as I encode the main engine. If that's not to your liking, stick with the version you have. But I think you should still make the change outlined in this post below.

 

Here it is:

 

 

//////////////////////////

 

 

 

In the past, some users have reported that the extra security precaution,

 

>$set['referer_check'] = '1';

Was preventing them from completing the form, even though they were coming from the same site. In other words, it was giving a false negative.

 

Initially, I thought that the problem was with different versions of PHP, server installations, or possibly the operating system of the server.

 

I did some thorough research and found out that the server varibale $_SERVER['HTTP_REFERER'] is not reliable. It's not a fault in the php language but rather a variable that is set by the browser, and therefore can be missing, or faked.

 

Some settings on firewalls can mess with it too.

 

What this means for you

 

In order to make sure that all users can access and use your form, you should immediately turn the referer check to the off position by changing

 

>$set['referer_check'] = '1';

to

>$set['referer_check'] = '0';

 

"But is this unsafe?"

 

Short answer: no

 

Long answer:

Spammers want only one of two things,

1- to harvest emails automatically through easy means

2- to hijack your form and send out spam through your website so you get blamed

 

(Number two is the holy grail of spammers.)

 

Your email address is hardcoded into the php script and so a spam harvesting 'bot' can't find it. If you have a catchall email address set up then it's easy to send you a spam email, but that's totally unrelated to the script. That's just how you choose to set up your hosting account.

 

The more important issue is the spammer's goal of hijacking your form and sending spam through your site. When you break the script down to it's simplest component, it basically does this when triggered:

 

Send a preformatted email to this predetermined email address

 

See, since the recipient isn't defined in the posted data but rather is hardcoded into the php script, there is no danger of hijacking (that I know of).

 

What's the worst that could happen without the referer check?

 

To the best of my knowledge, the worst that could happen is that someone writes a script to send a flood of emails to your account and the emails go to you.

 

In order for this to happen, someone would have to

  • know how to write such a script
  • choose you out of all the sites on the web
  • be content with sending all those emails to just you... not a list of spam recipients

In other words, have time on their hands to annoy you.

 

What if I'm still concerned about this?

 

Well, I've created a solution. Two actually.

 

The free solution is in the form of a time sensitive code that is generated at runtime on your site. You have the flexibility to determine how long you want to give visitors who are filling out your form.

 

Could someone still write a script, go to your site, grab the latest key, and send the info to your form, before the time limit expired.

 

Yes.

 

But it makes them jump through another hoop.

 

And all that work for no other payoff than to send YOU an email???? I don't see it happening.

 

....

 

(excess deleted)

Edited by TCH-Jack
Posted

And I've beefed up the documentation on the latest version of the code with a line by line (almost) explanation of what the different variables do.

 

http://www.surefirewebdesign.com/scripts/docs/

 

And for those TCH members that currently run the script but forgot where to get the code, I'll direct you to the TCH help page:

 

http://www.totalchoicehosting.com/help/id65.htm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...