--- Bob <[EMAIL PROTECTED]> wrote:
> Hi all,
> Is there any way that the following php line can be used to send an email to
> anyone other than [EMAIL PROTECTED] ?
>
> <?php
> @mail('[EMAIL PROTECTED]', $subject, $message, "From: $name <$email>");
> ?>
>
> This is just the mail line, and lots of other input checks are done first.
>
> An admin bloke says that this line could be used to send spam to anyone!
>
> I was under the impression that as '[EMAIL PROTECTED]' wasn't a variable
> and it's in single quotes, that it couldn't be altered?
> Thanks, Bob Exton.
The fourth argument of the mail() function allows the programmer to define
additional mail headers. These can be anything, including additional To:, CC:,
and BCC: fields. The variables $name and $email need to be carefully screened
to ensure that it is not possible to add something like:
"[EMAIL PROTECTED]: [EMAIL PROTECTED]"
The headers field should have values ending in the end-of-line symbol for
email, \r\n (carriage return, newline), according to the RFC.
I also find that the "real name" <email> pattern doesn't work well in all
cases, especially in the To: address.
James Keeline
