Broad Network


FormMail with Improved Security

Sending Email with Perl – Part 4

Perl Course

Foreword: In this part of the series I explain how to produce a custom FormMail with improved security.

By: Chrysanthus Date Published: 23 Nov 2015

Introduction

This is part 4 of my series, Sending Email with Perl. In this part of the series I explain how to produce a custom FormMail with improved security. You must have read the previous part of the series before coming here, as this is a continuation. In this tutorial I refer to the code samples in the previous tutorial, now with prevention against hacking. FormMail is the Perl script at the server that receives web page form dataset and send to the email box.

Beginning
You begin the script with:

use strict;
use CGI;

    my $obj = CGI->new();

The third statement here creates a CGI object.

Allowing only Dataset from Your Site
What you normally want is for a client to enter data in a form in your website and send to the web server of your website. It is possible for a hacker to create a form like your own and use your FormMail to send his dataset to any email address. To avoid this, you have to compare your hostname with the hostname of the hacker. If they are different, you stop the FormMail program and exit.

Assume that your hostname is, mysite.com. To do the comparison and stop and exit, in the FormMail script you need the code segment:

    if ($email !~ /mysite.com/)
        {
            die print "access denied.";
        }
    if ($recipient !~ /mysite.com/)
        {
            die print "access denied.";
        }

This allows only people, whose email address is in your email server to communicate with one another

Receiving and Locking the Hash
Next in the script you receive the key/value pairs and lock the CGI hash that now holds the key/value pairs. With this lock, no value can be changed, no key can be deleted and no new key/value pair can be added. You need code as follows (see explanation of first line below):

    $CGI::POST_MAX = 1000000;

    my $email = $obj->param('email');
    my $title = $obj->param('title');
    my $firstname = $obj->param('firstname');
    my $job = $obj->param('job');
    my $recipient = $obj->param('recipient');
    my $Cc = $obj->param('Cc');
    my $Bcc = $obj->param('Bcc');
    my $subject = $obj->param('subject');
    my $message = $obj->param('message');

    use Hash::Util "lock_hashref";
    lock_hashref($obj);

Now, a hacker may send a very large amount of text for any of the variables. This will consume too much computer memory and even run out of memory. While the script attempts to allocate the memory, the system may slow down dramatically. The first line in this code segment limits any variable to a maximum of 1,000,000 bytes (characters). As such, the hacker problem will be avoided.

Validation
In the tutorial, “Tainted scalar values and Prevention in Perl” of the series, “Perl Insecurities and Prevention”, I explain how to do validation of input data. The link to the series is at the bottom of this page. Next in the Formmail script, you have to validate, email, title, firstname etc.

The Rest of The Script
The rest of the FormMail script should be as in the previous part of the series.

That is it for this part of the series.

Chrys

Related Links

Perl Basics
Perl Data Types
Perl Syntax
Perl References Optimized
Handling Files and Directories in Perl
Perl Function
Perl Package
Perl Object Oriented Programming
Perl Regular Expressions
Perl Operators
Perl Core Number Basics and Testing
Commonly Used Perl Predefined Functions
Line Oriented Operator and Here-doc
Handling Strings in Perl
Using Perl Arrays
Using Perl Hashes
Perl Multi-Dimensional Array
Date and Time in Perl
Perl Scoping
Namespace in Perl
Perl Eval Function
Writing a Perl Command Line Tool
Perl Insecurities and Prevention
Sending Email with Perl
Advanced Course
Miscellaneous Features in Perl
Perl Two-Dimensional Structures
Advanced Perl Regular Expressions
Designing and Using a Perl Module
More Related Links
Perl Mailsend
PurePerl MySQL API
Perl Course - Professional and Advanced
Major in Website Design
Web Development Course
Producing a Pure Perl Library
MySQL Course

BACK

Comments

Become the Writer's Fan
Send the Writer a Message