Posted by affiliateian on 11/21/06 20:51

J.O. Aho wrote:
> It's not true, if you allow users to enter a FROM field which you then
> directly without any filtering do assign to the mail() functions fourth input
> variable, then they can use CC and BCC to send the mail to whom ever they want.

Hey JO, let me do more reading on your link:
http://www.php.net/manual/en/function.mail.php

As for injecting CC and BCC headers, can I manually set my headers in
the php script with no addresses in the cc field. Would this help?

$headers .= 'Cc:' . "\r\n";

Basically, trying to tell the script NOT to cc ot bcc anyone even those
spammers could be trying to push this content through. Does that make
sense?

[Back to original message]