[Mimedefang] OT: Email web form exploits

David F. Skoll dfs at roaringpenguin.com
Wed Sep 7 10:27:55 EDT 2005


WBrown at e1b.org wrote:

> Isn't that called input validation and something that should be done 
> anyways?

True.  But some input validation is a bit aggressive.  How many broken
Web forms out there don't permit "+" in an e-mail address?  And my
colleague, Dave O'Neill, can tell lots of horror stories about how his
name is mangled by aggressive-but-incorrect SQL-injection
countermeasures. :-(

Regards,

David.



More information about the MIMEDefang mailing list