Posted by Simon on 11/11/05 17:22

"Lisa Pearlson" <no@spam.plz> wrote in message
news:4374b2f5$0$6554$e4fe514c@dreader16.news.xs4all.nl...
> They can also inject stuff in the "Subject" line..
>
> You should run your name, e-mail and subject lines through a test function
> like mine:
>
> function isUnsafe($str)
> {
> if (eregi('Content-Type', $str))
> return true;
>
> if (eregi('multipart/mixed', $str))
> return true;
>
> if (eregi('bcc:', $str))
> return true;
>
> return false;
> }
>
> Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is
> dangerous.
>
> You should also hardcode the headers yourself with "Content-Type:
> text/html".
>
> HTH
> Lisa
>

Thanks, but my subject is also hard coded, in fact, everything is hard
coded.
I place everything together into the body of the message itself.

My question would be more, what can they inject in the actual body of the
email?

Simon

• Next in forum: Re: mail() injection, am i safe?
• Prev in forum: Re: mail() injection, am i safe?
• Thread view: Re: mail() injection, am i safe?

[Reply to this message]