This issue has probably been discussed more than I've been able to find
in the archive, so I'm sorry if I'm going over old ground.
I'm trying to make sure my email form cannot be used for spam or
injecting additional code and addresses in any way.
So far I'm able to remove bcc, cc, to, etc but unable to remove \n & \r.
If I could do that I'd consider it fairly secure. As you'll see below,
I've been trying various ways of doing it.
<snip>
// CHECK FOR SPAM ATTEMPTS AND REMOVE THEM
$Email = stripslashes($Email);
$Senders_Name = stripslashes($Senders_Name);
$Message = stripslashes($Message);
$recipient = stripslashes($recipient);
$subject = stripslashes($subject);
$Email = preg_replace( "/[\n\r]+/", " ", $Email );
// Remove injected headers
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$Email = preg_replace($find, "", $Email);
$Senders_Name = preg_replace($find, "", $Senders_Name);
$Message = preg_replace($find, "", $Message);
$recipient = preg_replace($find, "", $recipient);
// $message = preg_replace($find, "", message);
// $email=str_replace("\r","\n",$email);
// $name=str_replace("\r","\n",$name);
// $message=str_replace("\r","\n",$message);
// $phone=str_replace("\r","\n",$phone);
// $Email = ereg_replace( "\r", " ", $Email ); THIS DOES NOT WORK
// $Email = ereg_replace( "\n", " ", $Email ); THIS DOES NOT WORK
// $Email = ereg_replace( "bcc:", " ", $Email );
// $Email = ereg_replace( "cc:", " ", $Email );
$Senders_Name = preg_replace( "/[\n\r]+/", " ", $Senders_Name );
$Message = preg_replace( "/[\n\r]+/", " ", $Message );
$recipient = preg_replace( "/[\n\r]+/", " ", $recipient );
$subject = preg_replace( "/[\n\r]+/", " ", $subject );
</snip>
<snip>
// NOW SEND THE EMAIL
mail("$recipient", "$subject.", $Message,
"From: $Email ($Senders_Name)\nReply-To: $Email\n
Sent by: $Senders_Name
Email Address: $Email");
</snip>
Thanks for any guidance....
Martin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
