PHP's mail() function is completely broken. It is insecure, and it is *impossible* to make it secure unless you aggressively sanitize all your input.
PHP is a truly horrible language (hey, I use it every day, so I should know...) and mail() stands out as one of the worst things about it. I wrote a C program called "sendmail-wrapper.c" that makes it possible to send mail safely from PHP. It is invoked with no arguments, and reads lines on stdin specifying envelope sender and recipient(s). It then executes Sendmail directly (using execve) so no shell is involved. Regards, David. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
