RE: [PBML] About TFmail
- View SourceAlphonse Langueduc <kjhseka@...> wrote:
: I downloaded TFmail and read it. I find it's difficult
: to understand and maintain, I would better need
: something simpler, but secure. Perhaps I do not need
: such complexity.
You seem to be confusing simple with well written.
TFMail is complex, but it is well written. It is also
open-source. If you find a better way to do something
you can submit a patch and get feedback on your way.
Simpler scripts are not necessarily better scripts.
For example, your simple script doesn't do taint
checking. This feature is built-in to perl and you have
left it off. Taint-checking in perl CGI scripts is
: My form only asks for :
: A full name
: An email address
: A subject
: A body message
: The only thing I really need is preventing spammers to
: use the email field to attach information to the email
: headers. I think that a simple function with some
: regular expressions would solve the problem.
You should have explained this requirement when you
asked the question. You came to the list with a problem
and I offered a solution based on both my experience with
programming perl CGI applications and my experience
answering questions like yours. If you wish to place
limitations on the advice you receive, you need to
specify those limitations.
Do you know that your form processing routine is
secure. I don't know. It is very simple, but I don't
*know* there are no bugs in there. Your script doesn't
handle multiple values of parameters. Does it handle
semi-colons in urls Here's a form processor that I can
absolutely *know* is secure and very well tested:
my $q = CGI->new();
I can now obtain any parameter from a form that I
want. I can be assured that this will work on any
platform perl runs on. I know it has been test untold
times and patched long before I even started learning
perl. The code base is HUGE. And I use it in every perl
CGI script I write. Draw your own conclusions.
And the problems with your simple script don't
stop there. Only very brave people implement sendmail
without a module. Have you tested the spamming method
you mentioned (with a list of your own email addresses)
on the body section of the form?
: 800+ lines of code are really necessary just for that?
Not for just that, no. But you have not demonstrated
skills to write a program that would be smaller and still
be secure. You might, in time, acquire those skills, but
the learning curve to configure TFMail is shorter than
that of writing advanced custom cgi perl scripts.
: Furthermore, a simpler script is more easy to maintain
: and modify.
A well written script is easy to maintain and modify.
Well written scripts tend to be more complex, though I
have maintained some very poorly written, very complex
: I periodically need to change the forms and the processing
: needs. And finally deal with a simpler script is better to
: learn writing better scripts.
And TFMail already has that processing in it. One program,
many uses. TFMail is not the end all of FormMail scripts. Your
original post indicated you needed an immediate solution to an
insecure script. Since I trust the people at NMS, I looked for
a program that they had which would perform what you needed.
I will probably never use TFMail for my own site, but then
I wouldn't email information from a form to myself. I'd create
an XML document in RSS format and periodically check it with
an RSS reader. TIMTOWTDI.
Charles K. Clarkson
Mobile Homes Specialist