|
|
Posted by J.O. Aho on 11/21/06 21:14
On Tue, 21 Nov 2006 21:51:26 +0100, <affiliateian@gmail.com> wrote:
>
> J.O. Aho wrote:
>> It's not true, if you allow users to enter a FROM field which you the=
n
>> directly without any filtering do assign to the mail() functions four=
th =
>> input
>> variable, then they can use CC and BCC to send the mail to whom ever =
=
>> they want.
>
> Hey JO, let me do more reading on your link:
> http://www.php.net/manual/en/function.mail.php
>
> As for injecting CC and BCC headers, can I manually set my headers in
> the php script with no addresses in the cc field. Would this help?
> $headers .=3D 'Cc:' . "\r\n";
I must say i'm not 100% sure what will happen, but I suspect that it won=
't =
prevent anything at all.
> Basically, trying to tell the script NOT to cc ot bcc anyone even thos=
e
> spammers could be trying to push this content through. Does that make
> sense?
The best and most sure what will happen is to remove the \r\n, cc: and =
bcc:, then you will have a long line instead of the many that the spamme=
r =
tried to use, the from: address will look quite strange, but at least th=
e =
spam won't be sent to anyone else.
$mailheader=3Dexplode('\r\n',$fromfield);
then you have to only pick out the right header from the array $mailhead=
er =
and only use that one, one way is to look for the first cell in the arra=
y =
that don't have a ':' in it and use it as the from address.
//Aho
Navigation:
[Reply to this message]
|