On Thu, Feb 16, 2006 at 11:05:13AM -0800, Brian Dunning wrote:
> I created a simple mail form and am blocking SMTP injections like
> this. Seems like it ought to be 100% foolproof, AFAIK you can't
> complete and SMTP injection with a Content-Type header in there. Any
> opinions?
>
> $body = 'Name: '.$_POST['name'].'\r\n';
> $body = $body.'Phone: '.$_POST['phone'].'\r\n';
> $body = $body.'Email: '.$_POST['email'].'\r\n';
> $body = $body.'Comment: '.$_POST['comment'];
> if(!strpos(strtolower($body), 'content-type')) {
> mail($email_address, "Site Feedback", $body, "From:
> ".$email_address);
> }
You're main issue is with the $email_address var, where is that
comming from?
Here is something I posted a few months ago relating to what to watch
out for:
http://news.zirzow.dyndns.org/news.php/php.general/read/939b664d151f374782f8ba48e9bf5161/
Curt.
--
cat .signature: No such file or directory
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
