Re: mail function-new line-security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think you're thinking of "spam injection" through register_globals.  If 
so, yes it is vulnerable.

You need to force the variable data to come from the $_POST variable:

[code]

$name = $_POST['name'];
$phone = $_POST['phone'];
$user_mail = $_POST['user_mail'];
$my_email = $_POST['my_email'];

$usermailmsg =
"This is the information you submitted.\n
If this is not correct, please contact us at mailto:$my_email.\n\n
Name: $name\n
Phone: $phone\n

...
Please feel free to write us with any comments or suggestions so that we may 
better serve you.\n
mailto:$my_email\n\n";;

mail("$user_mail", "$subject", "$usermailmsg", "$headers");

[/code]
-- 

Sincerely,

A.J. Brown


""Peppy"" <peppy@xxxxxxxxxxx> wrote in message 
news:00b601c5c3b0$b6b78cb0$990bfd04@xxxxxxxx
I have been working on making my contact forms more secure.  In my research, 
the occurence of the new line character \n at the end of the $headers 
variable in the  mail function seems to be a security risk and opens one up 
to injection of spam email.  This part I understand.  I have been unable to 
find out this same information about the message variable.

If I have a variable defining the message like this, can I use the new line 
character or am I opening myself up to more spam injection.

$usermailmsg =
"This is the information you submitted.\n
If this is not correct, please contact us at mailto:$my_email.\n\n
Name: $name\n
Phone: $phone\n
...
Please feel free to write us with any comments or suggestions so that we may 
better serve you.\n
mailto:$my_email\n\n";;

mail("$user_mail", "$subject", "$usermailmsg", "$headers");

Thanks in advance for any help.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux