Posted by Simon on 11/14/05 15:00

"Toby Inkster" <usenet200511@tobyinkster.co.uk> wrote in message
news:40uf43-gsl.ln1@ophelia.g5n.co.uk...
> Simon wrote:
>
>> My question would be more, what can they inject in the actual body of the
>> email?
>
> Make sure the "additional headers" parameter ends with "\r\n\r\n" and you
> ought to be fine.
>

Sorry, I am still not sure I follow,
Almost everything is hard coded, (the 'to' and the 'subject').

and the header is

"Reply-To: webmaster@example.com."\n" .
"From: webmaster@example.com."\n" .
"Return-Path: webmaster@example.com."\n" .
"MIME-Version: 1.0\n".
"Content-type: text/plain; charset=iso-8859-1\n".
"Content-transfer-encoding: 8bit\n".
"Date: " . date('r', time()) . "\n".
"X-Priority: 3\n".
"X-MSMail-Priority: Normal\n".
"X-Mailer: PHP/" . phpversion();

So are you saying I should add "\r\n\r\n" as well?

the message is created using the info given by the user. _but I don't check
that data_.
What could they inject into the message that would cause mail(...) to be
unsafe?

Thanks

Simon

• Next in forum: Re: Form Validation
• Prev in forum: Re: Refresh Problems
• Thread view: Re: mail() injection, am i safe?

[Reply to this message]