Re: [php-list] Email query

Sun, 24 Dec 2006 11:18:22 -0800 

Hi James,

----- Original Message ----- 
From: James Keeline 

--- Bob <[EMAIL PROTECTED]> wrote:
> Hi all,
> Is there any way that the following php line can be used to send an email to
> anyone other than [EMAIL PROTECTED] ?
> 
> <?php
> @mail('[EMAIL PROTECTED]', $subject, $message, "From: $name <$email>");
> ?>
> 
> This is just the mail line, and lots of other input checks are done first.
> 
> An admin bloke says that this line could be used to send spam to anyone!
> 
> I was under the impression that as '[EMAIL PROTECTED]' wasn't a variable
> and it's in single quotes, that it couldn't be altered?
> Thanks, Bob Exton.

The fourth argument of the mail() function allows the programmer to define
additional mail headers. These can be anything, including additional To:, CC:,
and BCC: fields. The variables $name and $email need to be carefully screened
to ensure that it is not possible to add something like:

"[EMAIL PROTECTED]: [EMAIL PROTECTED]"

The headers field should have values ending in the end-of-line symbol for
email, \r\n (carriage return, newline), according to the RFC.

I also find that the "real name" <email> pattern doesn't work well in all
cases, especially in the To: address.

-------------------------------------------------------------------------
Thanks for your reply.
Have amended all my filters now.

I knew that extra headers could be added to the To: variable, but didn't know 
they could be used in the Subject (though I can't make it do that with a test 
program).

I'd heard that using "real name" <email> is unreliable, so I'll drop that.

Just as a matter of interest, what would happen if the "real name" <email> 
format was used. Would it still send the email?

Regards, Bob Exton.




Community email addresses:
  Post message: [email protected]
  Subscribe:    [EMAIL PROTECTED]
  Unsubscribe:  [EMAIL PROTECTED]
  List owner:   [EMAIL PROTECTED]

Shortcut URL to this page:
  http://groups.yahoo.com/group/php-list 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/php-list/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/php-list/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:[EMAIL PROTECTED] 
    mailto:[EMAIL PROTECTED]

<*> To unsubscribe from this group, send an email to:
    [EMAIL PROTECTED]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/

Reply via email to