Home > Archive > PERL CGI Beginners > January 2006 > Security
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Thom Hehl 2006-01-10, 3:56 am |
| We do IDX-enabled Real Estate software for Real Estate brokerages. As
part of this, I want to be able to save searches and e-mail the results
to an e-mail address once a w .
What I'm concerned about is someone picking up the form field names and
storing whatever URL they want with hundreds of e-mail addresses and
letting me e-mail their spam for them. I'm trying to figure out how to
do this.
My guess at the moment is that I make sure the hostname portion of the
URL matches the one specified when the CGI is called. My question is, do
I have access to the URL inside my PERL CGI?
Thanks!
Thom Hehl
Heavyweight Software for Heavyweight Needs
www.heavyweightsoftware.com
--
"In every revolution, there is one man with a vision."--Jerome Bixby
| |
| Sean Davis 2006-01-10, 3:56 am |
|
On 12/30/05 7:50 AM, "Thom Hehl" <thom@nowhereatall.com> wrote:
> We do IDX-enabled Real Estate software for Real Estate brokerages. As
> part of this, I want to be able to save searches and e-mail the results
> to an e-mail address once a w.
>
> What I'm concerned about is someone picking up the form field names and
> storing whatever URL they want with hundreds of e-mail addresses and
> letting me e-mail their spam for them. I'm trying to figure out how to
> do this.
>
> My guess at the moment is that I make sure the hostname portion of the
> URL matches the one specified when the CGI is called. My question is, do
> I have access to the URL inside my PERL CGI?
The URL can be spoofed, so that isn't safe either. Also, what would you do
with someone who uses gmail but uses comcast as their net provider?
One relatively safe way to do this is to ask people to put in their email
once, then email them a confirmation email that they must reply to or
validate using a URL that includes a security token (an MD5 hash of the
email and the timestamp and some keyword) that you can check when the user
clicks back to your site. Once that email is "validated", you can then at
least be sure that the person who got responded to the email wants to
continue to get email from you.
Hope that helps.
Sean
|
|
|
|
|