Posted by xmp333 on 10/27/96 11:34

Hello,


A spammer is apparently using email injection on my form, however my I
thought email injection requires mainpulation of the headers parameter
in mail() and I'm not using that parameter. My mail call looks like:

mail($to,$subj,$body)

So how is the spammer getting me? Is mail() translating to a raw
stream so that headers can be inserted in the body, or is there some
kind of buffer overflow that can be exploited? Since I'm using dynamic
variables, I can't see how this would occur, but then I'm no PHP
expert.

Any help would be greatly appreciated. I know beefing up input
validation should take care of this, but I want to understand what the
spammer is doing so I can reproduce and validate this fix.

Thanks in advance.

• Next in forum: Re: Email Injection w/ Out Header?
• Prev in forum: Re: Func to Turn Relative URLs into Abs URLs
• Thread view: Email Injection w/ Out Header?

[Reply to this message]