tell a friend script hole

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Simple tell a friend script.

Field for To email address and field for From email address which sends
a preconfigured message.

   Obviously there's a security whole in there in that this can be used
by anyone (ie SPAMMERS) to send a crude SPAM.

   How to make this more secure without removing the reason for such a


Re: tell a friend script hole

Quoted text here. Click to load it

Search this group's archive for a post by me on the subject, or search
Google for "php mail injection".  You will find many articles on the
subject which discuss methods to make the form more secure.

Karl Groves

Accessibility Discussion List:

Re: tell a friend script hole

Quoted text here. Click to load it

I use a tell a friend script... basically what I do is:

1) I have a table in my database called TAF.  When somebody uses the "Tell A
Friend" script on the site I check the TAF table:
    Has this recipient received a TAF email from us in the last 2 weeks?
    If YES then return a message "They've already been told about our
    If NO then record the information in the TAF table (TO Address, FROM
Address, Message, Senders Name, IP Address, Todays Date) and then send the
TAF email to the TO Address and a copy to the FROM Address.

2) The above also records the IP address of the sender.  When somebody sends
a TAF email I also do a COUNT for their IP address for the past 7 and 30
days.  The system will allow them to send 7 TAF emails in the past 7 days...
but no more than 20 in the past 30 days.
    If they try to send more than the above limits they receive the same
message as they would if the message was allowed by the system, but then the
TAF email is held pending approval - if they are legitimate "tell a friends"
I want to be able to let them through.

Re: tell a friend script hole

Auggie wrote:
Quoted text here. Click to load it

Holy Cats!

Seems like a lot of work but I'm sure that it will work!

  I've been reading up email injection (adding content in the email header).

I've added filters on the textfields (no textareas) that look like this
in perl:

# $test is all the submitted field appended.

my $test=lc($test);

if($test=~/content-type/){exit 0;}
if($test=~/charset=/){exit 0;}
if($test=~/multipart/){exit 0;}
if($test=~/cc:/){exit 0;} # also gets bcc
if($test=~/to:/){exit 0;}
if($test=~/from:/){exit 0;}
if($test=~/\n/){exit 0;}

my $length=length($test);
if($length > 300){exit 0;}

unless($ENV){exit 0;}
if($ENV eq '-'){exit 0;}

  All that might really be needed is the linefeed check as the hijack
attempts are all multiline and probably all email injection.

   I'll see how that works, if it doesn't then I guess I'll be counting
IPs and storing fields like you do.


Quoted text here. Click to load it

Re: tell a friend script hole

Quoted text here. Click to load it
"Tell A
Quoted text here. Click to load it

I don't think too much work...

when your script is activated you have your script section that gets run...
something like this (in pseudo pseudocode)

if TAF form postback then
    open TAF table in DB, SELECT * where TOaddress='<form to address>' and
date>'2 weeks ago'
        if end of file:
            Call   send TAF email subroutine
            write data to database
            error: that person has been told in the past 2 weeks.
        end if

Thats covers the first part.  To add the IP tracking you would change the
"send TAF email" subroutine where you check how much activity the IP address
has had in the past X days period that you feel comfortable with.

Site Timeline