----- Original Message -----
From: [EMAIL PROTECTED]
----- Original Message -----
From: Bob
Hi all,
Is there any way that the following php line can be used to send an email to
anyone other than [EMAIL PROTECTED] ?
<?php
@mail('[EMAIL PROTECTED]', $subject, $message, "From: $name <$email>");
?>
This is just the mail line, and lots of other input checks are done first.
An admin bloke says that this line could be used to send spam to anyone!
I was under the impression that as '[EMAIL PROTECTED]' wasn't a variable
and it's in single quotes, that it couldn't be altered?
Thanks, Bob Exton.
----------------------------
Hello Bob,
The mail() function is not the issue, you have just described the
standard format for the mail function.
What is important is how well you filter the $_POST or other input
variables.
For example, if you did not filter the Subject line well then I could place
the following into the subject -
CC: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; \n
BCC: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; \n
From: [EMAIL PROTECTED] \n
Subject: Free porn \n
I could then go on to create the message header fields (mime types) and
content, even html and attachments leaving your desired fields floating at
the end of the message.
The safest bet is to only allow those characters that you know are needed
ie -
Subject 0-9, a-z, A-Z
>From 0-9, a-z, A-z, -, _, @
always exclude characters under ASCII 32 and above the last that you expect.
with the exception of \r \n for the comments fields.
-------------------------------------------
Hi Rob,
I can't get it to send CC: or BCC: in the Subject by doing the above.
The server gives a 403 error "access refused". Not sure why this happens?
I filter the email: $raw = preg_replace('/[EMAIL PROTECTED]/', '', $raw); after
changing it to lowercase.
And name: $raw = preg_replace('/[^A-Za-z ]/', '', $raw);
Check all lengths and a load of other stuff.
I hadn't reckoned on the Subject, which doesn't bar everything but 0-9, a-z,
A-z.
But, it will do in about 5 minutes though :-)
Regards, Bob Exton.
Community email addresses:
Post message: [email protected]
Subscribe: [EMAIL PROTECTED]
Unsubscribe: [EMAIL PROTECTED]
List owner: [EMAIL PROTECTED]
Shortcut URL to this page:
http://groups.yahoo.com/group/php-list
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/php-list/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/php-list/join
(Yahoo! ID required)
<*> To change settings via email:
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
