Merlin wrote:
Hello Manuel,
this seems to be the right track. However I do not have linebrakes in
there, but the message gets passed by POST. This is my script error.php:
<?php
###############################################################
# requieres
$hostpath= '../';
require $hostpath . 'global/server.inc';
require $hostpath. 'global/class.phpmailer.php';
###############################################################
###############################################################
# set vars
$from = $_POST[from];
$errormsg = $_POST[errormsg];
$message = $_POST[message];
'they' are posting stuff to your mailer that includes fullblown
mail headers ... you're going to have to strip out the crud. or
block suspicious incoming data.
upto now I use the following function when I need quick/dirty protection
(no doubt that it could be better!):
/* returns true if any of the values in the passed are suspect in terms
* of someone trying to hack our form based mailer to start sending people
* spam.
*
* user as follows:
if (emailFieldHackAttempt($_POST)) die('go away you spam-peddling shmuck.');
*/
function emailFieldHackAttempt( $fieldVals )
{
$evilStrings = array(
'Content-Type: multipart/mixed;',
'Content-Type: text/plain;',
'boundary="',
'boundary=\\"',
'Content-Transfer-Encoding: 7bit',
"\nSubject: ",
'MIME-Version: ',
"\nbcc: ",
"\ncc: ",
"\nFrom: ",
"\nTo: ",
);
if (is_array($fieldVals) && count($fieldVals)) {
foreach ($evilStrings as $evilStr) {
foreach ($fieldVals as $k => $v) {
if (strstr($v, $evilStr) !== false) {
return true;
}
}
}
}
// nothing going on!
return false;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
