Posted by Rik on 01/13/07 13:56

Curtis wrote:
> Chuck Anderson wrote:
> <snip>
>> I post the form to send_the_email_contact.php where I have the
>> following test:
>>
>> if(preg_match('`[\r\n]`',$_POST['subject']))
>> {
>> exit ('injection attempt ');
>>
>> }
> <snip>
>
> You don't necessarily have to stop processing when validating mail
> headers. You can easily strip out any CRLFs

You don't HAVE to. However, when something that will end up in a header
contains a CRLF when it shouldn't, I'd opt for not sending the mail at all.
It shouldn't be possible, so either there's something wrong with my code or
someone has sent faulty and potentially harmfull information. Either way,
the mail should not be sent.
--
Rik Wasmus

• Next in forum: Hotmail webfetching
• Prev in forum: Re: What does -> do?
• Thread view: Re: preg_match to detect \r\n - doesn't work

[Reply to this message]