Posted by Gordon Burditt on 02/06/06 19:00

>if (ereg(":", $Name)) || (ereg(":", $From))
>
>If I validate my mail() headers thus, will this stop spammers being
>able to abuse my mail form? If there is somebody who has a colon in
>their name or email address, I have yet to meet them.

Do not permit any variable used in constructing the arguments
to the mail() function to contain line ending characters (\r or \n)
except for the message body, and that only after you have provided
a blank line to separate the headers from the body. You check
this with PHP, *not* javascript (which can be removed from the
spammer's copy of the form).

Do not allow the form to specify any part of the to: or cc: address.

Gordon L. Burditt

• Next in forum: Re: Data transfer problem - ideas/solutions wanted (please)
• Prev in forum: Re: Intersection of 2 times in php
• Thread view: Re: Block email inject spammers

[Reply to this message]