Hello, on 02/21/2006 03:19 PM cKc Consultants said the following: > An email form that uses a simple server side php code to send the variable > values managed to send: > > > Content-Type: multipart/alternative; >> boundary=5c7c7e682d991e8ec1f6825582ea2103 >> MIME-Version: 1.0 >> Subject: round a rock by way of anchorage >> bcc: [EMAIL PROTECTED] >> >> This is a multi-part message in MIME format. >> >> --5c7c7e682d991e8ec1f6825582ea2103 >> Content-Type: text/plain; charset=\"us-ascii\" >> MIME-Version: 1.0 >> Content-Transfer-Encoding: 7bit >> >> system expict th time is >> --5c7c7e682d991e8ec1f6825582ea2103-- >> > > This appears between responses to "$msg.=" and shouldn't be something the > user could see. In order to figure out how to prevent this, I need to know > how it was done. I know I need to validate the email address more closely, > but I'm curious as to what created this. I've found some interesting > articles on the web, but nothing seems to deal with this issue. Pointing me > in the right direction would be appreciated!
The problem is that you are using unverified data came from the form directly into the message. It is easy to hack your form because you are neglecting the fact that an e-mail field may contain line breaks. This opens the chance for hackers to add extra headers and even message body data, as the PHP mail() function is very weak and does nothing reject abusive data. If you are looking for a more robust solution, take a look at this MIME message composing class. Not only it can encode special characters that can be legitemately fed to the message, but it also escapes line breaks on headers, so any attacks like you suffered are suppressed, even when you do not validate the form fields for valid e-mail addresses as you should have done: http://www.phpclasses.org/mimemessage -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
