On Fri, Jul 19, 2002 at 11:19:59PM -0400, John Holmes wrote:
> Maybe I'm behind the times, but I just found out about this one today.
> Basically if a user can take your form that sends an email, and send a
> value like "This is my subject\nBcc: [EMAIL PROTECTED]" for the subject,
> then they will get Bcc'd on every email your script later sends.

Well, as mentioned by others, not every email, just the one being sent at
that time.  But, more importantly, folks can put in other people's
addresses into the Bcc and spam them all using your resources.  This has
already been exploited on some web to mail forms.

My email form functions check user input for unwanted characters,
including \r and \n via ereg.  If any are found, they're removed and the
form is redisplayed saying they can't use such characters.



               PHP classes that make web design easier
        SQL Solution  |   Layout Solution   |  Form Solution  | |
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY     v: 718-854-0335     f: 718-854-0409

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to