Hi, we have a special address that our users can forward spam
complaints to, and the number of complaints is exceeding what I can
deal with manually. So I am thinking of automating this process and
populating a database with things like local user, sending IP,
sending relay address, subject, etc for each spam complaint that
comes in. So I need to make sure that if I do something like the standard:
$sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES (?,?,?)");
and use the contents of the "Subject:" line as a value, some spammer
couldn't put SQL code in the subject and have it interpreted. Something like:
Subject: Increase your money; "hello; use mysql; drop table users;"
or something to that effect. Would someone be able to do this, and
if so, how would I guard against it? Thanks...
Jim McCullars
University of Alabama in Huntsville
