|
Posted by Philip Ronan on 11/14/05 23:27
"Toby Inkster" wrote:
> Simon wrote:
>
>> the message is created using the info given by the user. _but I don't check
>> that data_.
>> What could they inject into the message that would cause mail(...) to be
>> unsafe?
>
> $_POST['message'] = "BCC: me@example.com\r\n\r\nlalala";
Totally ineffective.
The $message parameter is not added to the headers. All you would manage to
do is create an email containing the following body:
> BCC: me@example.com
>
> lalala
Try reading up on the subject:
<http://uk2.php.net/manual/en/function.mail.php>
<http://www.ietf.org/rfc/rfc0822.txt>
--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/
Navigation:
[Reply to this message]
|