Web Design

PHP – Email Injection protection

PHP – Email Injection protection

A malicious spammer could use Email Injection to send large numbers of messages anonymously.

When a form is added to a Web page that submits data to a Web application, a malicious user may exploit the MIME format to append additional information to the message being sent, such as a new list of recipients or a completely different message body.

Because the MIME format uses a carriage return to delimit the information in a message, and only the raw message determines its eventual destination, adding carriage returns to submitted form data can allow a simple guestbook to be used to send thousands of messages at once.

The best way to stop e-mail injections is to validate the input.

HTML form:


<html>
<body>
<?php
function spamcheck($field)
  {
  // Sanitize e-mail address
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);
  // Validate e-mail address
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }
?>

<h2>Feedback Form</h2>
<?php
// display form if user has not clicked submit
if (!isset($_POST["submit"]))
  {
  ?>
  <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
  From: <input type="text" name="from"><br>
  Subject: <input type="text" name="subject"><br>
  Message: <textarea rows="10" cols="40" name="message"></textarea><br>
  <input type="submit" name="submit" value="Submit Feedback">
  </form>
  <?php 
  }
else
  // the user has submitted the form
  {
  // Check if the "from" input field is filled out
  if (isset($_POST["from"]))
    {
    // Check if "from" email address is valid
    $mailcheck = spamcheck($_POST["from"]);
    if ($mailcheck==FALSE)
      {
      echo "Invalid input";
      }
    else
      {
      $from = $_POST["from"]; // sender
      $subject = $_POST["subject"];
      $message = $_POST["message"];
      // message lines should not exceed 70 characters (PHP rule), so wrap it
      $message = wordwrap($message, 70);
      // send mail
      mail("webmaster@example.com",$subject,$message,"From: $from\n");
      echo "Thank you for sending us feedback";
      }
    }
  }
?>
</body>
</html>

How does it work?

1. Get the input data from the HTML form:

 <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
  From: <input type="text" name="from"><br>
  Subject: <input type="text" name="subject"><br>
  Message: <textarea rows="10" cols="40" name="message"></textarea><br>
  <input type="submit" name="submit" value="Submit Feedback">
 </form>

2. The php script send form data to itself:

<?php echo $_SERVER["PHP_SELF"];?>

3. Check if the “from” input field is filled out

if (isset($_POST["from"]))

4.Send the “from” value to the function spamcheck()

$mailcheck = spamcheck($_POST["from"]);

5. spamcheck() function:
a. The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
b. The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address
c. It wll return TRUE if it is all ok!

function spamcheck($field)
  {
  // Sanitize e-mail address
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);
  // Validate e-mail address
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

6. If it is FALSE It will print the message “Invalid input”

$mailcheck = spamcheck($_POST["from"]);
    if ($mailcheck==FALSE)
      {
      echo "Invalid input";
      }

7. If it is TRUE It will send the message and will print “Thank you for sending us feedback”

else
      {
      $from = $_POST["from"]; // sender
      $subject = $_POST["subject"];
      $message = $_POST["message"];
      // message lines should not exceed 70 characters (PHP rule), so wrap it
      $message = wordwrap($message, 70);
      // send mail
      mail("myemail@lucedigitale.com",$subject,$message,"From: $from\n");
      echo "Email sent successfully";
      }
By |Web Design, WordPress|Commenti disabilitati su PHP – Email Injection protection

WordPress – Eliminare l’avvertimento di aggiornamento

WordPress – Eliminare l’avvertimento di aggiornamento

Se l’amministrazione di WordPress è usata maggiormente da un nostro cliente, può risultare utile nascondere l’avviso di aggiornamento a nuove versioni di WP.

Aprire blog/wp-content/themes/mytheme/functions.php

Aggiungere le righe in testa:

// Remove Admin Menu Update Avaiable START
add_action('admin_menu','wphidenag');
function wphidenag() {
remove_action( 'admin_notices', 'update_nag', 3 );
}
// Remove Admin Menu Update Avaiable END
By |Web Design, WordPress|Commenti disabilitati su WordPress – Eliminare l’avvertimento di aggiornamento

WordPress – Impedire il cambio di tema

WordPress – Impedire il cambio di tema

Aprire blog/wp-content/themes/mytheme/functions.php

Aggiungere le righe:

function remove_theme_menus() {
    global $submenu;  
    unset($submenu['themes.php'][5]);
    unset($submenu['themes.php'][15]);
}
add_action('admin_init', 'remove_theme_menus');

By |Web Design, WordPress|Commenti disabilitati su WordPress – Impedire il cambio di tema

WordPress – Impedire editing pagine

WordPress – Impedire editing pagine

Aprire blog/wp-content/themes/mytheme/functions.php

Aggiungere le righe:

add_action( 'pre_get_posts' ,'exclude_this_page' );
function exclude_this_page( $query ) {
        if( !is_admin() )
                return $query;
        global $pagenow;
        if( 'edit.php' == $pagenow && ( get_query_var('post_type') && 'page' == get_query_var('post_type') ) )
                $query->set( 'post__not_in', array(10,2,14) ); // array page ids
        return $query;
}
By |Web Design, WordPress|Commenti disabilitati su WordPress – Impedire editing pagine

WordPress – Creare una Site Specific PlugIn

Wordpress – Creare una Site Specific PlugIn

‘Site Specific PlugIn’ è una plugin WordPress creata solamente per funzionare all’interno del sito corrente.

Creare ed installare:

Creare il file php ‘yoursitename-plugin.php’ in blog/wp-content/plugins/yoursitename-plugin/yoursitename-plugin.php

Il codice:

<?php
/*
Plugin Name: Site Plugin for example.com
Description: Site specific code changes for example.com
*/

/* Start Adding Functions Below this Line */

 
/* Stop Adding Functions Below this Line */
?>

Attivare:

COLONNA SINISTRA> PlugIns> ‘Site Plugin for example.com’> Activate

By |Web Design, WordPress|Commenti disabilitati su WordPress – Creare una Site Specific PlugIn