Web Wiz Forums - E-mail Notify problem with Comcast Addys

Print Page | Close Window

E-mail Notify problem with Comcast Addys

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=16164
Printed Date: 13 April 2026 at 9:10pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: E-mail Notify problem with Comcast Addys

Posted By: niugiovanni
Subject: E-mail Notify problem with Comcast Addys
Date Posted: 09 August 2005 at 7:08pm

I'm having some problems with my WebWiz forums not being able to mail out to Comcast Addresses. I've been through the code and can't seem to find the issue.

An e-mail that is entered by the user as this:

mailto:someone@comcast.net - someone@comcast.net

will actually be mailed by the software as this:

mailto:someone@comcast.net - someone mailto:someone@comca - @comca st.net

It seems as the the "S" is being replaced by an "s"

Anyone have any ideas or solutions?

Thanks

Replies:

Posted By: dpyers
Date Posted: 09 August 2005 at 10:10pm

The forum encodes certain character strings that users enter to prevent sql injection attacks. Might be a good idea to include functions/functions_filters.asp in functions/send_mail.asp and run the email address through the decodeString function before putting it in the "To" field of whatever email component you're using.

-------------

Lead me not into temptation... I know the short cut, follow me.

Posted By: JJLatWebWiz
Date Posted: 10 August 2005 at 12:00pm

"cast" gets converted to "cast" to prevent the SQL function "CAST" from being injected. I found that the sendmail() function in pm_post_message.asp uses the decodeString() function to decode the username and email addresses. However, in email_messenger.asp, all the variables are sent to the sendmail() function raw.

This is definitely a bug in 7.92 that seems to also exist at least as far back as 7.01. It seems to me that the best solution is to use the decodeString() function inside the sendmail() function itself. This more safely assumes the input is not sanitized.

In functions_send_mail.asp (in the forum/functions folder and the forum/admin/functions folder), immediately below the line "Function SendMail(...), add the following:

strRecipientEmailAddress = decodeString(strRecipientEmailAddress)
strRecipientName = decodeString(strRecipientName)
strFromEmailName = decodeString(strFromEmailName)
strFromEmailAddress = decodeString(strFromEmailAddress)

That should ensure that all the incoming data is restored before actually attempting to send mail.

Posted By: niugiovanni
Date Posted: 10 August 2005 at 3:30pm

Awesome Suggestion! Thanks so much. I figured it had to do with security but just couldn't find the reference. Thanks again!

Gio