|
|
Posted by Geoff Berrow on 06/03/06 09:40
Message-ID: <4eco6gF1dlndfU1@individual.net> from J.O. Aho contained the
following:
>Varanus wrote:
>> I'm attempting to set up a form that subscribes people to a mailing
>> list.
>>
>> The way the mailing list works is the user has to send an e-mail to
>> blahblah@blah.com from their e-mail account with "SUBSCRIBE BLAH" in
>> the body of the e-mail.
>>
>> I want to make it easier, and have a form where they just type in their
>> e-mail and it subscribes them to the mailing list.
>>
>>
>> It seemed simple enough for me, but I can't seem to get it right.
>>
>> my PHP code:
>> <?
>> $email = $_REQUEST['email'];
>> $from = "$email";
>> $body = "SUBSCRIBE CYPHERLOX";
>> mail( "stserv@list.cypherlox.com", $body, $email );
>> ?>
>
>As lorento already pointed out, the mail() isn't used the right way, you can
>see that in the online manual: http://www.php.net/manual/en/function.mail.php
>
>You have a security issue in your script, the $email/$from can be used to send
>extra headers as Cc: and Bcc: which are frequently used by spammers. You need
>to filter away those and any extra \r\n. Even if you use limitation in your
>form-page, it can be got around by calling the script directly.
How about this:
function clean($input){
if(strpos($input,"\\n")===false && strpos($input,"\\r")===false){
return $input;
}
else{
return false;
}
}
$from = "From: ".$email."\n";
$subject = "SUBSCRIBE CYPHERLOX";
$body="SUBSCRIBE CYPHERLOX";
if(clean($_REQUEST['email'])){
mail( "stserv@list.cypherlox.com",$subject, $body, $from );
}
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
Navigation:
[Reply to this message]
|