Hi All, One of my sites has been subjected to injection attacks recently. I've done what I can for the moment and searching for "TO:" and "CC:" in the user input foils most attempts. However, some attempts are getting a little too close for comfort. These attacks are not succeeding - but only because of a side effect of some unrelated cleaning that my script performs before calling the mail() function.
The problem seems to be that the attacker is encoding some or all of their input as hex, which the PHP interpreter is happily decoding and then acting upon. For example, an attacker might inject a BCC: field by encoding it as %62%63%63%3A. Is there a PHP function to decode inline hex, for example to decode the above example to "bcc:" ? TIA, -- Geoff Lane Cornwall, UK ------------------------ Yahoo! Groups Sponsor --------------------~--> Fair play? Video games influencing politics. Click and talk back! http://us.click.yahoo.com/T8sf5C/tzNLAA/TtwFAA/CefplB/TM --------------------------------------------------------------------~-> The php_mysql group is dedicated to learn more about the PHP/MySQL web database possibilities through group learning. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php_mysql/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
