dcsimg
www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 22

Thread: CGI Blank messages being received from the web page.

  1. #1
    Join Date
    Jan 2007
    Posts
    196

    Question CGI Blank messages being received from the web page.

    I have a website with the facility to send e-mails to the webmaster and the Hon Sec using CGI. There is a low level checking procedure which checks for a valid e-mail address by format a@b.c

    The system seems to work fine in that messages do get sent to both webmaster and secretary but messages won't be sent unless the sender supplies an email of the correct form (even though it is a made-up one).

    However recently we have both received completely blank messages. Can anyone explain to me what is happening?

    This is the CGI code:

    #!/usr/bin/perl -wT
    use CGI qw(:standard);
    use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
    use strict;

    my $title = param('title');
    my $first = param('firstname');
    my $surname = param('surname');
    my $em = param('email');
    my $loc = param('loc');
    my $comments = param('comments');
    my $fullname = "";

    if ($title ne "")
    { $fullname .= $title;}

    $fullname .= " ";
    $fullname .= $first;
    $fullname .= " ";
    $fullname .= $surname;

    print header;
    print start_html("Results");

    # Set the PATH environment variable to the same path
    # where sendmail is located:

    $ENV{PATH} = "/usr/sbin";

    # open the pipe to sendmail
    open (MAIL, "|/usr/sbin/sendmail -oi -t") or
    &dienice("Can't fork for sendmail: $!\n");

    # change this to your own e-mail address
    my $recipient = 'spiresgate@tiscali.co.uk';

    # Start printing the mail headers
    # You must specify who it's to, or it won't be delivered:

    print MAIL "To: $recipient\n";

    # From should probably be the webserver.

    print MAIL "From: JPAGg\n";

    # print a subject line so you know it's from your form cgi.

    print MAIL "Subject: JPAG Guestbook message\n\n";

    # Now print the body of your mail message.

    print MAIL "From: $fullname \( " . $em . " \)" . "\n\n";
    print MAIL "Location: $loc\n";
    print MAIL "Comments: $comments\n";

    # Be sure to close the MAIL input stream so that the
    # message actually gets mailed.

    close(MAIL);

    open GBTRIAL, ">>GBFile.txt";
    print GBTRIAL $fullname;
    print GBTRIAL ", ";
    print GBTRIAL $loc;
    print GBTRIAL "\n";
    print GBTRIAL $comments;
    print GBTRIAL "\n";
    print GBTRIAL "\n";
    close GBTRIAL;

    # Now print a thank-you page

    print <<EndHTML;
    <h2>Thank You</h2>
    <p>Thank you for writing!</p>
    <p>Use Back Button to return to previous pages.</p>

    <p>Your message was as follows</p>
    <p>$comments</p>

    <p>From: $fullname $loc $em</p>
    EndHTML

    print end_html;

    # The dienice subroutine handles errors.

    sub dienice {
    my($errmsg) = @_;
    print "<h2>Error</h2>\n";
    print "<p>$errmsg</p>\n";
    print end_html;
    exit;
    }

  2. #2
    Join Date
    Sep 2007
    Posts
    40
    Quote Originally Posted by spiresgate View Post
    I have a website with the facility to send e-mails to the webmaster and the Hon Sec using CGI. There is a low level checking procedure which checks for a valid e-mail address by format a@b.c

    The system seems to work fine in that messages do get sent to both webmaster and secretary but messages won't be sent unless the sender supplies an email of the correct form (even though it is a made-up one).

    However recently we have both received completely blank messages. Can anyone explain to me what is happening?
    This should fix the blank issues

    if (($first eq "") || ($surname eq "") || ($em eq "") || ($loc eq "") || ($comments eq ""))
    {
    if ($first eq "")
    { &dienice("You did not enter your first name"); }

    if ($surname eq "")
    { &dienice("You did not enter your last name"); }

    if ($em eq "")
    { &dienice("You did not enter your e-mail address"); }

    if ($loc eq "")
    { &dienice("You did not enter your location"); }

    if ($comments eq "")
    { &dienice("You did not enter a comment"); }
    }

    And put that block after the fullname declaration.

  3. #3
    Join Date
    Jan 2007
    Posts
    196
    Thanks for that. I'll incorporate your suggestion.

    However I can't replicate the phenomenom from the client side as the e-mail check prevents anything being sent anyway, I suspect your extra code just does the same blocking. My real question is how is something gettting through even when the e-mail check should stop it?

  4. #4
    Join Date
    Sep 2007
    Posts
    40
    Quote Originally Posted by spiresgate View Post
    Thanks for that. I'll incorporate your suggestion.

    However I can't replicate the phenomenom from the client side as the e-mail check prevents anything being sent anyway, I suspect your extra code just does the same blocking. My real question is how is something gettting through even when the e-mail check should stop it?
    Yes, that code will block the form from going through unless there's data in every field.

    Can you please post either the form or a link to it? I did not see the e-mail validation piece in there.

    One other thought - and I've seen this myself at times from forms I've created - is that someone's submitting blank forms with a fake e-mail that meets the format reqs to see if they can fish out the recipient address and spam it.

  5. #5
    Join Date
    Jan 2007
    Posts
    196
    Thanks again.

    The website is at

    www.jpag.org

    and the cgi functions are through buttons WEBMASTER, HON SECRETARY and GUESTBOOK.

    I haven't added your additional blocking scripts, pending any further light you can throw. You may be right about phishing.

  6. #6
    Join Date
    Jan 2007
    Posts
    196
    Ah!


    This may be the answer:

    The e-mail check is in the form script.

    Is it possible for someone to remove the script and send blank messages?

    I presume your suggested script goes into the cgi (which I posted initially)?

  7. #7
    Join Date
    Sep 2007
    Posts
    40
    Quote Originally Posted by spiresgate View Post
    Ah!


    This may be the answer:

    The e-mail check is in the form script.

    Is it possible for someone to remove the script and send blank messages?

    I presume your suggested script goes into the cgi (which I posted initially)?
    As far as the JavaScript, that's just checking for a format of a@b.c. So, I could enter a@b.c as my e-mail and send blank messages. However, since the sending is done through the CGI, there's no way for them to see where it's going to.

    Yes, those fixes go into the CGI script. I have an idea for a much more streamlined approach to the entire guestbook. If you can wait until about 11/25, I should be able to send it over (as I have several other priorities this weekend and early next week). If not, I would suggest adding what I posted earlier and also this as a check at the open GBTRIAL point:

    if ((length($comments) < 5) || ((length($comments) >= 5) && ($comments =~ /^ /)))
    { &dienice("You did not enter a comment"); }
    else
    { [start of block with open GBTRIAL to above sub dienice] }

    That code above should trap anyone who's trying to send blank messages and force them back to the guestbook entry screen.

    Hope this helps,

  8. #8
    Join Date
    Dec 2002
    Location
    Pleasanton, CA
    Posts
    2,132
    Quote Originally Posted by spiresgate View Post
    Is it possible for someone to remove the script and send blank messages?
    YES!
    EVERYTHING, cookies, hidden-field data, checkbox data, etc that is sent to the server from a website should be validated.

    It is really easy to create a form on my desktop and point it to your server. I can now send anything I want straight from my desktop to your server.

  9. #9
    Join Date
    Jan 2007
    Posts
    196
    Windycitycoder

    Thanks for your help so far. However I am having problems with the code you sent. It returns an internal server error.
    I only use cgi rather tentatively and may be misreading your script. I changed ne to != and eq to == Is that right?

    Nedals

    Do you mean that every field should be filled in? Sometimes I don't mind if a field is left blank. Or does validation have a more subtle meaning in this context? As windycitycoder points out the javascript for the form is to check the form rather than a security block. Is what you call validation with reference to the cgi?

  10. #10
    Join Date
    Dec 2002
    Location
    Pleasanton, CA
    Posts
    2,132
    Quote Originally Posted by spiresgate View Post
    Do you mean that every field should be filled in? Sometimes I don't mind if a field is left blank. Or does validation have a more subtle meaning in this context? As windycitycoder points out the javascript for the form is to check the form rather than a security block. Is what you call validation with reference to the cgi?
    Fields can be blank, but if they are filled in, in your .cgi script check that the content is what you expect. A user can easily skip all javascript checks.

  11. #11
    Join Date
    Jan 2007
    Posts
    196
    Thanks to you both for helping to clarify the concepts in my mind.

    If I can recap:

    1Javascript is ok for checking fields are appropriately filled in before the form is submitted, but do not constitute a security device.

  12. #12
    Join Date
    Jan 2007
    Posts
    196
    Sorry! Pressed the wrong button

    Thanks to you both for helping to clarify the concepts in my mind.

    If I can recap:

    1 Javascript is ok for checking fields are appropriately filled in before the form is submitted, but do not constitute a security device.

    2 I was being lazy copying windycitycoder's code without trying to understand it. I presume some of the code is the check and goes in the first part, but the message to be returned to the submitter goes elsewhere.

    I'll work on it and try and solve it before windycitycoder rejoins us after the 25th.

  13. #13
    Join Date
    Dec 2002
    Location
    Pleasanton, CA
    Posts
    2,132
    A few notes to keep you going.
    Quote Originally Posted by spiresgate View Post
    Windycitycoder
    Thanks for your help so far. However I am having problems with the code you sent. It returns an internal server error.
    I only use cgi rather tentatively and may be misreading your script. I changed ne to != and eq to == Is that right?
    When you say 'It returns an internal server error.', does it tell you what the error is or just something like '500: internal server error'
    You wisely included 'use CGI::Carp qw(warningsToBrowser fatalsToBrowser);'.
    That should have return a description of the error. If it did not, you may have a problem with your method of upload.

    >>> I changed ne to != and eq to == Is that right?
    In your case, no
    eq, ne, lt, gt are used when comparing strings
    ==, !=, <, > are used when comparing numbers.

    if ($first eq "") { &dienice("You did not enter your first name"); }
    You do not need to compare a string to 'null' (""). In perl a null or 0 is false. This might be better written...
    dienice("You did not enter your first name") unless ($first);

    You also do not need the leading '&' in current versions of Perl.

  14. #14
    Join Date
    Jan 2007
    Posts
    196
    Thanks Nedals

    The error message I get when I include windycitycoder's code (or your shortend version) is

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, spiresgate@aol.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    So it would appear to be trapping an error but not responding to the specific error of missing fields.

    Searching the forum for similar problems I've discovered the code was originaly given to me by windycitycoder in September last year so I guess I haven't progressed much.

    The problem seems to lie in the definition of the dienice function.

  15. #15
    Join Date
    Dec 2002
    Location
    Pleasanton, CA
    Posts
    2,132
    Just to clarify...
    Does the exact code you originally posted (first post) work as expected but allows blank messages?

    Just noticed. Rewrite this line as shown here
    use CGI::Carp(qw/warningsToBrowser fatalsToBrowser/);

    The dienice() sub looks fine and should not be causing a problem

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles