Tutorial 3 - Part II -Flying into Formation - page 5

So that you better understand what you would be doing here, let's review the special characters and phrases listed on the previous page. One you may not be familiar with is "%0a" - the 0 is a zero not the letter O. 0x0A/%0A calls for a new line or line feed in hexadecimal. This is the spammers most used phrase for pirating your form to spam you and others. Similarly, 0x0D/%0D is a carriage return in hexadecimal. The term "cc:" stands for "carbon copy"; "bcc" - "blind carbon copy." Both of these mail terms can be used by spammers. Most of the other terms are also mail terms that can be manipulated by spammers. Many terms can be used more than once when sending mail, like "to:", "subject:", "content-type" (which can be changed in the middle of your email to mixed and "multipart/") and "MIME-version." MIME is an encoding protocol which stands for Multi-purpose Internet Mail Extensions or Multimedia Internet Mail Extensions. The MIME-version can be changed for different parts of your email. By outlawing these mail terms from your form, you can, as well as possible, prevent your form inputs from being used by spammers.

 

If you choose to use this modified version to prevent "injection," you'll need to check it to make sure you copied your code correctly. So include one of the terms you outlawed, say "multipart/" in one of your input fields. Submit your form. You should, if all worked well, find yourself on a page which says: "Invalid input= whatever you typed before your outlawed term multipart/." Notice that, this time, the offensive phrase, "multipart/", does show up as an invalid input (unlike the newline or carriage return). Your form should act like this (click here).

By the way, there are other characters and phrases that won't appear as invalid input. Any complete php code will not show up after the words "Invalid input=". Open php code - code that opens with a "less-than sign" and a question mark but doesn't have a closing question mark and "greater-than sign" - will show up as invalid input in an Internet Explorer Browser. You can try this for yourself if one of your outlawed characters is the "less-than" symbol (<). Put the following code in one of your form input boxes:

Your script shuts down because of the "less-than" symbol (<) but nothing will show up as invalid input. Now if you have Internet Explorer, try the same php script but leave out the closing question mark and "greater-than" symbol (>) All of your invalid input will appear after the words "Invalid input=". This may or may not happen with other browsers. In both cases, though, your script shuts down whether or not your invalid input shows up. While you're at it, try this html:

Place this html code in your first name input box or any input box on your form. Press the submit button. Then look at the title on top of the resulting page. You can see how this simple form input has given your page a new title. You might consider this one more reason for outlawing the "less-than sign."

So now you're tired of doing this form. You want it to be over with; but there's still at least one more thing that needs to be done. You have to limit the length of your inputs. For one way to do this, continue on the next page
- preventing "injection" - part 2 - on page 6

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua.