Regardless if mail() takes precautions you should also
check input prior to trusting it.
Note: If mail does or doesn't if it changes in the future you
are covered if you always check.
I would suggest a simple addslashes and the (shell/sendmail)
will be fine OR better still do an array with a callback
either removal or addslashes equiv.
Timothy Hitchens (HiTCHO)
[EMAIL PROTECTED]
If you need PHP hosting with an experienced
support team 24/7 then email me today.
On Sat, 28 Dec 2002, Beth Gore wrote:
Hi,
If I'm taking an URL as user input from in a form, and then emailing
that URL back to them as part of a larger message, how do I ensure that
no-one sends anything strange to run shell commands through sendmail?
Could anyone confirm that mail() or even sendmail does take precautions
against shell commands being executed in the message body of the email?
If not, is there an easy way to remove everything except
:,/,.,a-Z,0-9? I've written very complicated things in the
past and I'm sure there must be an easier way!!!
I've already made sure it's not possible to abuse sendmail with the
user's email address, but I'm still nervous.
Thanks!
--
Beth Gore
http://www.habitformer.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php