Posted by bokke on 11/03/37 11:41

Chung Leong wrote:
> bokke wrote:
> > I have an online form - script below. I thought it was secure, but
> > last night I got 20 or so blank e-mails from my site and one that
> > bounced ?? Is this script secure or am I being abused by spammers?
>
> There's a flaw in your regular expression. Right now it only looks for
> the existence of a valid e-mail address within $email. Thus if $email
> contains the following:
>
> sender@anonymous.www
> Cc:recipient@someothersite.xxx
> Bcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx
>
> preg_match() will return true since there certainly is a correctly
> formatted e-mail address in there.
>
> Putting ^ at the beginning and $ at the end of the expression should
> yield something more like what you had intended.

How about using this
$Name = $HTTP_POST_VARS['Name'];
$email = preg_replace( '/[\r\n]/', '', $email );
$email = $HTTP_POST_VARS['email'];
$subject = "Message From us";

would this stop the abuse because it seems they are not using a
'return'?

michael

• Next in forum: Re: How to replace an item in the url search string
• Prev in forum: Re: Getting values into a form: PHP (Server) or Javascript (Client) Side?
• Thread view: Re: security issue

[Reply to this message]