David F. Skoll wrote:
PHP's mail() function is completely broken. It is insecure, and it is
*impossible* to make it secure unless you aggressively sanitize all your
input.
PHP is a truly horrible language (hey, I use it every day, so I should
know...) and mail() stands out as one of the worst things about it.
All I remember about it is it's one of the functions I disabled on the
hosting server I set up. <g> For those few customers that really
wanted to use a PHP function to send mail, I provided a utility library
with a much more restrictive email function (among other things, it
stuck in a number of headers to make itself *very* easily identified),
along with a few other functions for common SSI operations usually
handled by Apache or standalone CGI scripts.
For most other customers, I provided a form-mail script that used the
utility library's email sender. To the best of my knowledge, neither
has ever (in ~5 years since I wrote it) been abused for spamming.
-kgd
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
