Re: static ip to dhcp conversion -- getting a hostname
At 05:31 PM 3/5/2004, Alan Shutko wrote:
You'll have to stop getting the email address from the form.
Ok, that sounds like a good idea. What I'm working on with this new release
is a web installer, so putting the recipient address in the code isn't a
problem. I do think it would be more proper to put it on a server file,
somewhere on the web dir's parent dir. This is just a little harder for me
to code into the installer app but I think a nicer implementation since it
allows the webmaster to easily change the send-to address. Maybe a bit less
secure, unless I do something like embed a generated key at install time.
* Hardcode the destination address in the script
Or on a non-web accessible file with an authentication key - unless you
see that as less secure.
* Hardcode multiple addresses in the script, and have a token in the
form specify which address to mail to. For example, if the form
says address=FOO, you look it up $addresses[FOO] to get
"support@wherever".
What's the advantage here? Security through obscurity?
* Just discontinue the script, and have people use formmail. That
way, the security burden is on someone else
Heh, you think the situation's really that bad huh Alan?
BTW, how do server side ENV vars get spoofed? I mean I've changed them for
programmatic reasons within programs I've written, but to do this otherwise
wouldn't you need a wrapper around the software... in which case you might
as well send the email yourself.
Marty Landman Face 2 Interface Inc. 845-679-9387
FormATable DB: http://face2interface.com/Products/FormATable.shtml
Make a Website: http://face2interface.com/Home/Demo.shtml
Free Formmailer: http://face2interface.com/Products/Formal.shtml
Reply to: