Spammers Woke Me Up (or, Why I Loathe PHP)
On the Ideanode site, there are a few important forms that go to email addresses that copy me on my phone.
Last night as I was fitfully getting to sleep, spammers abused these forms with scripts that sent a blast of email to my phone, blasting me awake with a cavalcade of well-meaning tones.
Slogging through it, it looks like the culprit is the poor ‘mail’ function in the Personal Home Page language. Since there is no specific argument for the From: sender in PHP, you have to manually specify it at the end as a ‘custom header’:
mail($mail_recipient,$subject,$mail_body,”From: $final_fromrn”);
This, sadly, seems to leave a mac-truck sized hole through which spammers can, giving a massively long list of addtional recipients, bccs, etc, all that turn your unsuspecting mailform into spammer’s delight.
Yes, it’s simple to wrap a regex check around it to prevent it, or use something like SmartMailer, but really, should I have to? Should I accept a mail function that doesn’t presume the need of a seperate from: address and to do a little sanity checking around it? It reminds me why I never enjoyed my time with PHP—it’s a big pot of Stone Soup that everybody just threw whatever they needed into, all with clumsy definition, no review, and no overriding design philosophy.
I’ll spend my time in the Cathedral of Rails , thanks.
