[Phpwm] Securing feedback forms
David Goodwin
david at codepoets.co.uk
Tue Oct 31 19:09:31 GMT 2006
> So, basically, as has already been said, run your recipient's address
> through a regex to make sure it's got no nasty chars (like returns,
> newlines, less/greater than signs, semi colons etc).
The nasty characters, when using mail() is \r\n (as far as I know) which
results in a new line being entered when the mail is passed to sendmail
- which leads to header injection (e.g. cc, bcc etc)
So, strip_tags and trim isn't enough. And addslashes is probably
useless/pointless in this context.
There's a great article online which covers this - namely :
http://www.securephpwiki.com/index.php/Email_Injection
One way around the problem, is to use PEAR::Mail instead.
thanks
David.
--
David Goodwin
[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk ]
More information about the Phpwm
mailing list