tags:

views:

33

answers:

2
Q: 

Validating a form for email exploits is not working

Hello, I have a contact form in my website. I made a class to handle the whole process. But there is something not working in it.

I have 2 functions to check for exploitation and they are not working. I don't know what's wrong with them, so here they are :

private function _validateExploit($val) {
    $exploitPattrens = array('content-type', 'to:', 'bcc:', 'cc:', 'document.cookie', 'document.write', 'onclick', 'onload', '\n', '\r', '\t', '%0A', '%0D', '%08', '%09');

    foreach ($exploitPattrens as $exploit) {
        if (strpos($exploit, $val) !== false){
            return true;
        }
    }
    return false;
}

public function isExploit () {

    if(call_user_func_array(array($this, '_validateExploit'), $_POST)) {
          echo $errorMsg;
     }
 }

When I call isExploit() it always return false, no matter what I give it as an input.

I guess there is something wrong with the call_user_func_array, but I can't find it.

Thanks in advance!

A: 

strpos($exploit, $val) should be strpos($val, $exploit)

You also have echo $errorMsg; but $errorMsg is never defined.

And I think you probably want array_walk ( http://us3.php.net/manual/en/function.array-walk.php ) rather than call_user_func_array. I would just loop through $_POST rather than use either of those functions though. I don't think they really buy you anything in this case - and they might not return values the way you are expecting.

Scott Saunders  2010-08-13 14:27:35
Thanks for the advice, I used `array_filter` because `array_walk` always returns true on success and in this case it must succeed to be able to validate. `array_filter` returns what the function returns. Thanks for pointing me :D
Maher4Ever  2010-08-13 16:07:18
A: 

You are passing the $_POST variable to the function. $_POST is an array as the call_user_func_array() function requires, but you are not treating it like an array in the _validateExploit function. You are treating it like a string. You need to loop through the $val array as well testing each item in that array or just pick one. You also have your haystack and needle reversed in strpos() as indicated in another answer.

private function _validateExploit($val) {
    $exploitPattrens = array('content-type', 'to:', 'bcc:', 'cc:', 'document.cookie', 'document.write', 'onclick', 'onload', '\n', '\r', '\t', '%0A', '%0D', '%08', '%09');

    foreach ($exploitPattrens as $exploit) {
        foreach ($val as $itm) {
            if (strpos($itm, $exploit) !== false){
                return true;
            }
        }
    }
    return false;
}
Buggabill  2010-08-13 14:40:18
Good catch of the call_user_func_array() issue. If the OP rewrites `_validateExploit()` your way, he can just call `$this->_validateExploit($_POST)`
Scott Saunders  2010-08-13 14:52:37
They could do that, but calling it using `call_user_func_array()` allows them the flexibility of calling any function that they want in a loop passing in the $_POST array as an argument. The `if` statement there may be just a snippet of the real code with the name of the function added in for our benefit.
Buggabill  2010-08-13 15:23:11
Thanks for helping me with this, I fixed the 'strpos()'. But I actually thought that `call_user_func_attay()` would do the job for me instead of going through nested loops which are bad for performance.
Maher4Ever  2010-08-13 16:05:41
Well.. the point is and was that `$_POST` is an array. You will have to walk it, loop through it, or pick individual elements to test in your function.
Buggabill  2010-08-13 16:55:22

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases