I think you're thinking of "spam injection" through register_globals. If so, yes it is vulnerable. You need to force the variable data to come from the $_POST variable: [code] $name = $_POST['name']; $phone = $_POST['phone']; $user_mail = $_POST['user_mail']; $my_email = $_POST['my_email']; $usermailmsg = "This is the information you submitted.\n If this is not correct, please contact us at mailto:$my_email.\n\n Name: $name\n Phone: $phone\n ... Please feel free to write us with any comments or suggestions so that we may better serve you.\n mailto:$my_email\n\n";; mail("$user_mail", "$subject", "$usermailmsg", "$headers"); [/code] -- Sincerely, A.J. Brown ""Peppy"" <peppy@xxxxxxxxxxx> wrote in message news:00b601c5c3b0$b6b78cb0$990bfd04@xxxxxxxx I have been working on making my contact forms more secure. In my research, the occurence of the new line character \n at the end of the $headers variable in the mail function seems to be a security risk and opens one up to injection of spam email. This part I understand. I have been unable to find out this same information about the message variable. If I have a variable defining the message like this, can I use the new line character or am I opening myself up to more spam injection. $usermailmsg = "This is the information you submitted.\n If this is not correct, please contact us at mailto:$my_email.\n\n Name: $name\n Phone: $phone\n ... Please feel free to write us with any comments or suggestions so that we may better serve you.\n mailto:$my_email\n\n";; mail("$user_mail", "$subject", "$usermailmsg", "$headers"); Thanks in advance for any help. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
