[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: [mv] Contact Us/ Multiple FeedBack Pages/Multiple Email Address es
Hi All -
jojo's approach to solving the feedback form problem is good, but in
the interest of security...
> <FORM ACTION="http://__SERVER_NAME____CGI_URL__/postout?[data session id]"
> METHOD="POST">
> [L]Subject[/L] : <SELECT NAME="subject">
> <OPTION VALUE="Hello world!"> Hello World!
> <OPTION VALUE="Hello Karl!"> Hello Karl!
> </SELECT>
> [L]Message[/L] :
> <TEXTAREA name="MESSAGE" cols=60 rows=20>[value MESSAGE]</TEXTAREA>
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> <input type="hidden" Name="emailto" VALUE="kswisher@iolinc.net">
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Please don't do this!
> <input type="submit" Name=mv_todo VALUE="Senden">
> </FORM>
It's a "Bad Idea (tm)" to put mailto or similar values as hidden form
variables. Anyone can save the form from their browser to a local file,
edit the mailto address, and submit the form from that local copy. That
means they can use your mail server to send email anonymously to anyone
else, and it will look like it came from you or your company. (There is a
well known case of an MIT script that was set up this way - another web
site linked to that CGI program and set up their own anonymous emailing
service which they offered to the public.)
It would be much better to have the postout script itself determine the
mailto address based on the Subject selection, or based on another select
list of "To" destinations like "Sales", "Support", etc.
(Not specifically a MiniVend topic I know, but there's been talk of credit
card number security recently and it's important to think about all
aspects of security...)
Larry Leszczynski
larryl@furph.com
--
furph, Inc. WWW/Unix/Windows Solutions 734-513-7763 (voice)
info@furph.com http://www.furph.com 734-513-7759 (FAX)
