On Thu, February 16, 2006 1:05 pm, Brian Dunning wrote:
> I created a simple mail form and am blocking SMTP injections like
> this. Seems like it ought to be 100% foolproof, AFAIK you can't
> complete and SMTP injection with a Content-Type header in there. Any
> opinions?
>
> $body = 'Name: '.$_POST['name'].'\r\n';
> $body = $body.'Phone: '.$_POST['phone'].'\r\n';
> $body = $body.'Email: '.$_POST['email'].'\r\n';
> $body = $body.'Comment: '.$_POST['comment'];
> if(!strpos(strtolower($body), 'content-type')) {
> mail($email_address, "Site Feedback", $body, "From:
> ".$email_address);
> }
Where does $email_address come from?
Unless we know that, we can't discuss header injection...
Also, this:
$body = $body . "...";
is more usually expressed as:
$body .= "...";
And, finally, your '\r\n' are not going to work.
Only \\ and \' are special inside ''
You need "" for \r\n to be special.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
