Better yet, don't allow the user to enter a From address. Simply give
them subscribe and unsubscribe radio buttons, and make sure the
un/subscribe-ee gets a confirmation email. And certainly check your
input fields for newlines. :)
On 8/7/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Mon, August 7, 2006 2:37 am, David Dorward wrote:
> Richard Lynch wrote:
>
>> <?php
switch($_REQUEST['email']){
case 'subscribe@xxxxxxxxxxxxx':
case 'unsubscribe@xxxxxxxxxxxxx':
//Do nothing.
break;
default:
die("Hack attempt.");
break;
}
>> if (isset($_REQUEST['email'])){
>> $success = mail($_REQUEST['action'], 'un/subscribe',
>> 'un/subscribe', "From: $_REQUEST[email]\r\nReply-to:
>> $_REQUEST[email]");
>> if ($success) echo "Status Change Sent";
>> else echo "Unable to send Status Change";
>> }
>> ?>
>
> What if someone submitted:
>
> action = poor_spam_victim@xxxxxxxxxxx
>
> email = you@xxxxxxxxxxx\r\n\r\nA long winded evil spam message here
>
> ?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
