Greg Schnippel wrote:
I'll reply soon off list, as I don't think it appropriate to give
potential spammers an archive full of new tricks.
I don't know -- I think its always better to discuss this in the open
if there is a real security risk that people should be aware of.
I tend to agree on things like this. If it's a generic problem then I
think it does everyone some good to discuss it in the open. Although I
can see the point of not discussing specific problems with specific
applications, at least not until a fix is in and notices have been sent
out. Then I think it falls back to the "it does everyone some good to
have it in the open" senerio. I learn a lot from my mistakes, but I also
learn from other's mistakes too, if I'm given the chance.
2) I believe that since the mail function already sent out the
headers, any subsequent "headers" would just be ignored. Or they would
be treated as text since they occurred in the message portion and not
parsed literally.
I was wondering the same thing. That it would just send the message and
the MTA's would ignore any other addresses listed in the actual message
text.
Not sure that there is any risk here, but I'm shrouding my contact
script (changing the form variables and script name to something less
obvious) just in case.
- Greg
I think I'm just going to generate some random number to submit to the
processor and if it's not there then ignore it.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
