|
|
Posted by juglesh on 11/18/05 03:55
Manuel Lemos wrote:
> Hello,
>
> on 11/11/2005 09:03 AM Simon said the following:
> > I was looking at mail injection,
> > http://securephp.damonkohler.com/index.php/Email_Injection
> >
> > And I was wondering if my mail(...) was safe.
> >
> > I ask in a form for
> > 1 Name
> > 2 Email address
> > 3 Subject
> > 4 Comment/Message
> >
> > I then build one message by putting all of the above together.
> > So even if there was injection, it is all in the body of my message, right?
> >
> > I then use mail(...) as per normal with my hard coded "To:" and "Subject:"
> >
> > Is that a fairly safe way?
> >
> > How should I parse my form to prevent malicious code, (Script? eval?)
>
> Message headers should be encoded with q-encoding (a variant of
> quoted-printable encoding for headers). If you do not know how to encode
> the messages properly, you may want to try this MIME message class that
> can do it for you safely:
>
> http://www.phpclasses.org/mimemessage
I asked you about mail injection visavis mimemessage class before, but
got an answer that I did not understand 8)
do you need to filter user supplied data prior to sending it thru
mimemessage?
--
juglesh
Navigation:
[Reply to this message]
|