----- Original Message -----
From: Bob
Hi all,
Is there any way that the following php line can be used to send an email to
anyone other than [EMAIL PROTECTED] ?
<?php
@mail('[EMAIL PROTECTED]', $subject, $message, "From: $name <$email>");
?>
This is just the mail line, and lots of other input checks are done first.
An admin bloke says that this line could be used to send spam to anyone!
I was under the impression that as '[EMAIL PROTECTED]' wasn't a variable
and it's in single quotes, that it couldn't be altered?
Thanks, Bob Exton.
----------------------------
Hello Bob,
The mail() function is not the issue, you have just described the
standard format for the mail function.
What is important is how well you filter the $_POST or other input
variables.
For example, if you did not filter the Subject line well then I could place
the following into the subject -
CC: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; \n
BCC: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; \n
From: [EMAIL PROTECTED] \n
Subject: Free porn \n
I could then go on to create the message header fields (mime types) and
content, even html and attachments leaving your desired fields floating at
the end of the message.
The safest bet is to only allow those characters that you know are needed
ie -
Subject 0-9, a-z, A-Z
>From 0-9, a-z, A-z, -, _, @
always exclude characters under ASCII 32 and above the last that you expect.
with the exception of \r \n for the comments fields.
Thanks Rob.
