Contact yourself !



  • Today I went to a mandatory off-site training about "web servers" and we had to "setup" a web server, you know the kind with IIS4 on WinXp, when we finally had to deal with Apach/PHP we had to install a website stub just for the exercice, something with chocolate, and there was a contact form in php which is WTFy but that's only my point of view:

    <?php
    if (isset($HTTP_POST_VARS['B1']))
    {
    // teste les valeurs.
    $nom=trim(addslashes($HTTP_POST_VARS['nom']));
    $mail=trim(addslashes($HTTP_POST_VARS['mail']));
    $tableau=array();
    $tableau=Explode("@",$mail,2);
    echo $tableau[0];
    if ($nom=="" || $nom=="Nom")
    {
    echo "Veuillez rentrer un nom";
    }
    elseif ($mail=="")
    {
    echo "Rentrez une adresse mail";
    }
    elseif (!isset($tableau[1]))
    {
    echo"Rentrez une adresse valide";
    }
    else
    {
    if(!mysql_connect('localhost','root'))
    {
    Echo'Connection Impossible';
    exit();
    }
    else
    {
    Echo'Connexion réussie';
    }
    Mysql_select_db('ybet');
    $requete="insert formulaire SET nom='$nom', mail='$mail'" ;
    $resultat=mysql_query($requete);
    }
    }
    $form="<form method=\"POST\">
    <p>Nom: <input type=\"text\" name=\"nom\" size=\"20\" value=\"Nom\"></p>
    <p>Votre adresse mail: <input type=\"text\" name=\"mail\" size=\"30\" value=\"Votre adresse mail\"></p>
    <p><input type=\"submit\" value=\"Envoyer\" name=\"B1\"></p>
    </form>";
    echo $form;
    ?>

    It's in french but I don't have time to translate it by now because i'm in class, but I have time to write a WTF !!

    So here is my list:

    • Using $HTTP_POST_VARS
      Almost as worse as using register_globals on
    • E-Mail validation
      Well this one is easy
    • Nested IFs
      If there are more fields, ouch
    • Using mysql procedural interface
      well this one can be accepter
    • Connectinc as 'root'
      Securiry breach
    • Why put the html of the form into a var an then echo it ?


    • Hows about also echoing without using htmlspecialchars?
    • And then there's addslashes without checking if the server has magic quotes enabled (OK, you set it up yourself, so in theory...).
    • And then there's writing out the form even after accepting the message (in case you want to send another one?).
    • Not prefilling the form with the previous values if there's an error.
    • Wasting time by pointlessly declaring $tableau as an array, just before recreating it as an array (explode will return a completely new array).
    • Echo echo? echo Echo! cAsE iNSEnsitivITY iS Ugly.

    I suppose they have to start somewhere, but this is like death from a thousand papercuts, and a security hole.



  • @ltouroumov said:

    something with chocolate
    Que?

    E-Mail validation
    Well this one is easy
    They're checking that there's at least one @ sign in there and there's stuff before and after it. Ok, they could probably check for a period in the bit on the right of it, but quite how much validation do you think should be done in PHP?

    Hint: regex is not the solution, and beyond checking that the host has MX records, then sending a verification email to the address submitted, not much else from what's above should be done.

    @ltouroumov said:
    Nested IFs
    If there are more fields, ouch
    That indentation doesn't ring true. You have a series of if/else/else/else clauses with each subsequent clause unnecessarily indented even further.


  • The test website was about an online chocolate store, because I work in switzerland.

    Well Regexp is perhaps not the best solution but at leas it's better than this.

    And why when a field validation fails it should just add the message to a list and then print all the messages.

    Hopefully it's not production code (I guess)



  • @ltouroumov said:

    Well Regexp is perhaps not the best solution but at leas it's better than this.
    Better in this context would mean that regex would both pass more valid email addresses and stop more invalid emails, and most regex implementations found with a quick google are notorious for stopping perfectly valid email address. (Perhaps the most commonly incorrectly refused as invalid in use these days is a + in the local part which GMail, among others, allow users to tag incoming emails.)



  • @ltouroumov said:

    Echo'Connection Impossible';
    Trlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrl... prrrlum!

    Pum, pum-pum-pum, pum.

    Pum-pum-pum, pum.

    Pum-pum-pum, pum.

    Pum-pum-pum--

    Neeneeneeee.. Neeneeneeeee.. Neeneeneeeee..

    Neah-neah!

    ...



  • Technically it's valid to have an email address that looks like this:

    "Quoted string containing spaces and other normally-invalid characters, like a 2nd @!"@[IP.AD.DR.ESS]

    Good luck finding a website that does validation and doesn't stumble on that one...



  •  why don't you first find an ISP / mailserver which allows you to configure yourself such an email-address...

     



  •  (?:[a-z0-9!#$%&'+/=?^_{|}~-]+(?:\.[a-z0-9!#$%&amp;'*+/=?^_{|}~-]+)|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\[\x01-\x09\x0b\x0c\x0e-\x7f])")@(?:(?:a-z0-9?.)+a-z0-9?|[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-][a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\[\x01-\x09\x0b\x0c\x0e-\x7f])+)])

     

    supposedly this matches any  RFC 2822 E-mail address. I only tested a few- it allows the + in the local part. personally I would never use a regexp for something like an E-mail; just check a few basics and get on with it.



  • Shouldn't a contact form, um, contact someone?



  • And addslashes IS NOT safe against SQL injection. You need to use mysql_real_escape_string for that.



  • @Daid said:

    You need to use mysql_real_escape_string for that.

    Only if you're using MySQL.



  • @bannedfromcoding said:

    @Daid said:
    You need to use mysql_real_escape_string for that.

    Only if you're using MySQL.

    And only if you're not using parametrised queries. Which you should.

    (of course, you still need to escape html before outputting to the client, but that's completely separate)



  • @ltouroumov said:

    if om ($nom=="" || $nom=="Nom")



  • @Thief^ said:

    And only if you're not using parametrised queries. Which you should.

    TRWTF is that PHP's standard MySQL interface doesn't support parameterized queries (at least not last time I worked with PHP). Sure, you could use MySQLi, but I've had some bizarre and frustrating issues with that.



  • @derula said:

    @ltouroumov said:
    if om ($nom=="" || $nom=="Nom")
     

    Wow, those French people must be missing out on all the Cookie Monster jokes.

    "He eats a biscuit saying 'Name, name, name'!  Why is that funny?"



  • @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.



  •  Meh, it's crappy PHP, but you said it was part of a class on setting up web servers, so who cares?



  • @morbiuswilters said:

    @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.

    When can we get a new RFC that outlines sane email addresses?  "Emails will be some letters and numbers and maybe some periods (or a plus for all those Gmail people), then an @ symbol, then some more letters and numbers and dots."



  • @bstorer said:

    @morbiuswilters said:

    @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.

    When can we get a new RFC that outlines sane email addresses?  "Emails will be some letters and numbers and maybe some periods (or a plus for all those Gmail people), then an @ symbol, then some more letters and numbers and dots."

    Also: case-fucking-insensitive, amirite?  Seriously, though, e-mail is such a piece of shit and there is so much wrong with SMTP, POP and IMAP that will never be fixed.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.