[ciapug] Re: ciapug Digest, Vol 8, Issue 6
parksmike at dwx.com
parksmike at dwx.com
Tue Dec 13 15:20:13 CST 2005
I've been working on this class file to send email and do some intrusion detection. I allow a Bcc or CC that is programmed in Most of the time I have it commented out. I have an outside function that checks the address format, and does an MX lookup to verify the domain. I will be moving it into this function in the future.
<?php
class Email{
function SendMail(){
$boundary = "b".md5(uniqid(time()));
$Message = stripslashes($this->Message);
$headers .= "From: ".$this->FromMail."\n";
$headers .= "Cc: ".$this->CcMail."\n";
$headers .= "Bcc: ".$this->BcMail."\n";
$headers .= "Return-Path: ".$this->FromMail."\n";
$headers .= "X-Rcpt-To: ".$this->FromMail."\n";
$headers .= "X-Priority: 3\n";
$headers .= "X-MSMail-Priority: Normal\n";
$headers .= "X-Mailer: PHP Mailer\n";
$headers .= "Origin: ". $_SERVER['REMOTE_ADDR']."\n";
$response = array($this->FromMail, $this->ToMail, $this->Subject, $headers);
foreach($response as $key=>$value){
if (stristr($value,"cc:")) {
$response .= <<<EOD
<h2><font color="red">Intrusion detection!</font></h2>
<p>Possible intrusion script detected. The following IP address<br> was detected sending invalid reponses to this email script. <br><strong>{$_SERVER['REMOTE_ADDR']}</strong> has been recorded for tracking.</p>
EOD;
print $response;
error_log("Intrusion detected on <DOMAIN> IP Address:" . $_SERVER['REMOTE_ADDR'],1,"email at domain.com");
exit();
}
}
mail($this->ToMail, $this->Subject, $Message, $headers) or die("Message could not be sent");
}
}
?>
<><><><><><><><><><><><><><><>
Mike Parks
----- Original Message -----
From: ciapug-request at cialug.org [mailto:ciapug-request at cialug.org]
Sent: 12/13/2005 12:00:03 PM
To: ciapug at cialug.org
Subject: ciapug Digest, Vol 8, Issue 6
> Send ciapug mailing list submissions to
> ciapug at cialug.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://cialug.org/mailman/listinfo/ciapug
> or, via email, send a message with subject or body 'help' to
> ciapug-request at cialug.org
>
> You can reach the person managing the list at
> ciapug-owner at cialug.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ciapug digest..."
>
>
> Today's Topics:
>
> 1. php mail injection attack (Barry Von Ahsen)
> 2. Re: mysqli prepared statements (Scott Phillips)
> 3. Re: mysqli prepared statements (Dave J. Hala Jr.)
> 4. RE: mysqli prepared statements (Carl Olsen)
> 5. Re: mysqli prepared statements (Tim Champion)
> 6. RE: mysqli prepared statements (Carl Olsen)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 12 Dec 2005 15:29:15 -0600
> From: Barry Von Ahsen <barry at vonahsen.com>
> Subject: [ciapug] php mail injection attack
> To: ciapug at cialug.org
> Message-ID: <439DEBAB.8010702 at vonahsen.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> one of my contact forms was being used to spam via php mail injection, I
> thought the group may benefit from the knowledge/solution
>
> this is the page everyone else links to about the subject:
> http://securephp.damonkohler.com/index.php/Email_Injection
>
> basically, anywhere you pass form variables to be used in the header of
> mail() [e.g. from or subject], you can pass line feeds to the form, and
> insert your own headers like so:
>
> $_POST['from'] = "spammer at scumbag.com\n bcc: unlucky1 at recipient.com,
> unlucky2 at adslfkj.com, \n lemme tell ya bout these blue pills..."
>
> anyhow, here is an easy function to sanitize your fields - it just
> strips out all line feeds from the post vars. I'm calling it like
>
> $from = stripcrlf($_POST['from']);
> $subject = stripcrlf($_POST['subject']);
>
> %0A and %0D are \n and \r urlencoded
>
> /* ------------------------------------------- */
> function stripcrlf($string) {
> /* ------------------------------------------- */
> return
> preg_replace("/%0A/","",preg_replace("/%0D/","",preg_replace("/\\n+/","",preg_replace("/\\r+/","",$string))));
> }
>
>
> -barry
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 12 Dec 2005 16:12:22 -0600
> From: Scott Phillips <scott.phillips at DRAKE.EDU>
> Subject: Re: [ciapug] mysqli prepared statements
> To: ciapug at cialug.org
> Message-ID: <5.2.0.9.0.20051212160425.0233f578 at mail.drake.edu>
> Content-Type: text/plain; format=flowed; charset=us-ascii
>
> I think the resounding silence following your question can be translated
> into, "No. We don't know."
>
> Regarding your current approach... Do you lock the table before the insert
> and unlock it after you select the max id? Otherwise, another record could
> be inserted between the two and you'll end up with the wrong id. That's how
> I do it, anyway. Is there a better way?
>
>
>
> At 10:26 AM 12/10/2005 -0600, you wrote:
> >Does anyone know if you can use the mysqli->insert_id inside a prepared
> >statement to get the id of the record that has just been inserted?
> >
> >I'm doing it with a select statement which uses the same parameters as the
> >insert statement and selects "MAX(id) AS id" as the output parameter. It
> >works, but it's easy to make an error when typing it in.
> >
> >Carl
> >http://www.carl-olsen.com/
> >
> >_______________________________________________
> >ciapug mailing list
> >ciapug at cialug.org
> >http://cialug.org/mailman/listinfo/ciapug
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 12 Dec 2005 16:51:08 -0600
> From: "Dave J. Hala Jr." <dave at 58ghz.net>
> Subject: Re: [ciapug] mysqli prepared statements
> To: PHP List <ciapug at cialug.org>
> Message-ID: <1134427868.13267.74.camel at dsl-69.marshallnet.com>
> Content-Type: text/plain
>
> You could add a "random number" field to your table. Then generate a
> large random number and add to your insert. Then query for the record id
> that matches the random number you inserted.
>
> Like this:
>
> INSERT mytable (data,random) values ('$data',$random_number');
>
> Then
>
> SELECT id from mytable WHERE random='$random_number';
>
> Not terribly elegant -but it would work.
>
> :) Dave
>
>
>
> On Mon, 2005-12-12 at 16:12, Scott Phillips wrote:
> > I think the resounding silence following your question can be translated
> > into, "No. We don't know."
> >
> > Regarding your current approach... Do you lock the table before the insert
> > and unlock it after you select the max id? Otherwise, another record could
> > be inserted between the two and you'll end up with the wrong id. That's how
> > I do it, anyway. Is there a better way?
> >
> >
> >
> > At 10:26 AM 12/10/2005 -0600, you wrote:
> > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > >statement to get the id of the record that has just been inserted?
> > >
> > >I'm doing it with a select statement which uses the same parameters as the
> > >insert statement and selects "MAX(id) AS id" as the output parameter. It
> > >works, but it's easy to make an error when typing it in.
> > >
> > >Carl
> > >http://www.carl-olsen.com/
> > >
> > >_______________________________________________
> > >ciapug mailing list
> > >ciapug at cialug.org
> > >http://cialug.org/mailman/listinfo/ciapug
> >
> > _______________________________________________
> > ciapug mailing list
> > ciapug at cialug.org
> > http://cialug.org/mailman/listinfo/ciapug
> --
>
> Open Source Information Systems, Inc. (OSIS)
> Dave J. Hala Jr., President <dave at osis.us>
> 641.485.1606
>
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 12 Dec 2005 20:02:13 -0600
> From: "Carl Olsen" <carl-olsen at mchsi.com>
> Subject: RE: [ciapug] mysqli prepared statements
> To: <ciapug at cialug.org>
> Message-ID: <00a501c5ff89$3c6c7370$1c00a8c0 at workstation8>
> Content-Type: text/plain; charset="us-ascii"
>
> In SQL Server there is a function I can use to return the id number of the
> record using a stored procedure, but I haven' figured out how to do it with
> MySQLi prepared statements (using MySQL 4.1). I haven't tried using MySQL
> stored procedures yet (MySQL 5), so maybe there's a function for it. The
> stupid book I'm reading suggested the MAX(id) method, feeding in the
> parameters that were just used to create the insert statement to make it
> hard to return the wrong id (using the same parameters in the WHERE clause).
> I can see why the book thinks this is a better method than simply requesting
> the MAX(id), but I like the way SQL Server does it much better. Since
> MySQLi has a function for insert_id, it seems to suggest there would be
> something similar for a MySQLi prepared statement.
>
> -----Original Message-----
> From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
> Of Scott Phillips
> Sent: Monday, December 12, 2005 4:12 PM
> To: ciapug at cialug.org
> Subject: Re: [ciapug] mysqli prepared statements
>
> I think the resounding silence following your question can be translated
> into, "No. We don't know."
>
> Regarding your current approach... Do you lock the table before the insert
> and unlock it after you select the max id? Otherwise, another record could
> be inserted between the two and you'll end up with the wrong id. That's how
> I do it, anyway. Is there a better way?
>
>
>
> At 10:26 AM 12/10/2005 -0600, you wrote:
> >Does anyone know if you can use the mysqli->insert_id inside a prepared
> >statement to get the id of the record that has just been inserted?
> >
> >I'm doing it with a select statement which uses the same parameters as the
> >insert statement and selects "MAX(id) AS id" as the output parameter. It
> >works, but it's easy to make an error when typing it in.
> >
> >Carl
> >http://www.carl-olsen.com/
> >
> >_______________________________________________
> >ciapug mailing list
> >ciapug at cialug.org
> >http://cialug.org/mailman/listinfo/ciapug
>
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 13 Dec 2005 08:30:38 -0600
> From: Tim Champion <timchampion at bigfoot.com>
> Subject: Re: [ciapug] mysqli prepared statements
> To: ciapug at cialug.org
> Message-ID:
> <7aa1cdb20512130630y29c7ae55qd79b0caa54aabdc4 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Maybe I'm missing something here, but have you tried the PHP function:
> mysql_insert_id()?
> http://us3.php.net/mysql_insert_id
>
>
> On 12/12/05, Dave J. Hala Jr. <dave at 58ghz.net> wrote:
> > You could add a "random number" field to your table. Then generate a
> > large random number and add to your insert. Then query for the record id
> > that matches the random number you inserted.
> >
> > Like this:
> >
> > INSERT mytable (data,random) values ('$data',$random_number');
> >
> > Then
> >
> > SELECT id from mytable WHERE random='$random_number';
> >
> > Not terribly elegant -but it would work.
> >
> > :) Dave
> >
> >
> >
> > On Mon, 2005-12-12 at 16:12, Scott Phillips wrote:
> > > I think the resounding silence following your question can be translated
> > > into, "No. We don't know."
> > >
> > > Regarding your current approach... Do you lock the table before the insert
> > > and unlock it after you select the max id? Otherwise, another record could
> > > be inserted between the two and you'll end up with the wrong id. That's how
> > > I do it, anyway. Is there a better way?
> > >
> > >
> > >
> > > At 10:26 AM 12/10/2005 -0600, you wrote:
> > > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > > >statement to get the id of the record that has just been inserted?
> > > >
> > > >I'm doing it with a select statement which uses the same parameters as the
> > > >insert statement and selects "MAX(id) AS id" as the output parameter. It
> > > >works, but it's easy to make an error when typing it in.
> > > >
> > > >Carl
> > > >http://www.carl-olsen.com/
> > > >
> > > >_______________________________________________
> > > >ciapug mailing list
> > > >ciapug at cialug.org
> > > >http://cialug.org/mailman/listinfo/ciapug
> > >
> > > _______________________________________________
> > > ciapug mailing list
> > > ciapug at cialug.org
> > > http://cialug.org/mailman/listinfo/ciapug
> > --
> >
> > Open Source Information Systems, Inc. (OSIS)
> > Dave J. Hala Jr., President <dave at osis.us>
> > 641.485.1606
> >
> > _______________________________________________
> > ciapug mailing list
> > ciapug at cialug.org
> > http://cialug.org/mailman/listinfo/ciapug
> >
>
>
> --
> Tim Champion
> timchampion at bigfoot.com
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 13 Dec 2005 10:59:42 -0600
> From: "Carl Olsen" <carl-olsen at mchsi.com>
> Subject: RE: [ciapug] mysqli prepared statements
> To: <ciapug at cialug.org>
> Message-ID: <002e01c60006$9d7cbf80$1c00a8c0 at workstation8>
> Content-Type: text/plain; charset="us-ascii"
>
> Yes. You are missing two things. The function would be mysqli_insert_id
> (http://us3.php.net/manual/en/function.mysqli-insert-id.php), and I need to
> use it in a prepared statement, so it would be $stmt->insert_id or something
> like that. I haven't tried it yet, so maybe it works. I was just wondering
> if anyone had actually used it and could tell me if it works.
>
> -----Original Message-----
> From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
> Of Tim Champion
> Sent: Tuesday, December 13, 2005 8:31 AM
> To: ciapug at cialug.org
> Subject: Re: [ciapug] mysqli prepared statements
>
> Maybe I'm missing something here, but have you tried the PHP function:
> mysql_insert_id()?
> http://us3.php.net/mysql_insert_id
>
>
> On 12/12/05, Dave J. Hala Jr. <dave at 58ghz.net> wrote:
> > You could add a "random number" field to your table. Then generate a
> > large random number and add to your insert. Then query for the record id
> > that matches the random number you inserted.
> >
> > Like this:
> >
> > INSERT mytable (data,random) values ('$data',$random_number');
> >
> > Then
> >
> > SELECT id from mytable WHERE random='$random_number';
> >
> > Not terribly elegant -but it would work.
> >
> > :) Dave
> >
> >
> >
> > On Mon, 2005-12-12 at 16:12, Scott Phillips wrote:
> > > I think the resounding silence following your question can be translated
> > > into, "No. We don't know."
> > >
> > > Regarding your current approach... Do you lock the table before the
> insert
> > > and unlock it after you select the max id? Otherwise, another record
> could
> > > be inserted between the two and you'll end up with the wrong id. That's
> how
> > > I do it, anyway. Is there a better way?
> > >
> > >
> > >
> > > At 10:26 AM 12/10/2005 -0600, you wrote:
> > > >Does anyone know if you can use the mysqli->insert_id inside a prepared
> > > >statement to get the id of the record that has just been inserted?
> > > >
> > > >I'm doing it with a select statement which uses the same parameters as
> the
> > > >insert statement and selects "MAX(id) AS id" as the output parameter.
> It
> > > >works, but it's easy to make an error when typing it in.
> > > >
> > > >Carl
> > > >http://www.carl-olsen.com/
> > > >
> > > >_______________________________________________
> > > >ciapug mailing list
> > > >ciapug at cialug.org
> > > >http://cialug.org/mailman/listinfo/ciapug
> > >
> > > _______________________________________________
> > > ciapug mailing list
> > > ciapug at cialug.org
> > > http://cialug.org/mailman/listinfo/ciapug
> > --
> >
> > Open Source Information Systems, Inc. (OSIS)
> > Dave J. Hala Jr., President <dave at osis.us>
> > 641.485.1606
> >
> > _______________________________________________
> > ciapug mailing list
> > ciapug at cialug.org
> > http://cialug.org/mailman/listinfo/ciapug
> >
>
>
> --
> Tim Champion
> timchampion at bigfoot.com
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>
>
>
> ------------------------------
>
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>
>
> End of ciapug Digest, Vol 8, Issue 6
> ************************************
>
More information about the ciapug
mailing list