Posted by Fran�ois on 02/06/06 19:28

"Gordon Burditt" <gordonb.eiwt9@burditt.org> wrote in message
news:11uf04s9ocmvc08@corp.supernews.com...

> >if (ereg(":", $Name)) || (ereg(":", $From))
> >
> >If I validate my mail() headers thus, will this stop spammers being
> >able to abuse my mail form? If there is somebody who has a colon in
> >their name or email address, I have yet to meet them.
>
> Do not permit any variable used in constructing the arguments
> to the mail() function to contain line ending characters (\r or \n)
> except for the message body, and that only after you have provided
> a blank line to separate the headers from the body. You check
> this with PHP, *not* javascript (which can be removed from the
> spammer's copy of the form).
>
> Do not allow the form to specify any part of the to: or cc: address.

Hi Gordon,

Thanks for your input. I only have three user fields in the form. If I
expand the colon removal to all three fields that'll do the trick
won't it? They need the colon to inject spurious cc: or bcc:
addresses.

Many thanks

Franc

• Next in forum: (OT) where to download world list of countries and their cities?
• Prev in forum: Re: Mysterious \'
• Thread view: Re: Block email inject spammers

[Reply to this message]