Posted by J.O. Aho on 11/21/06 21:14

On Tue, 21 Nov 2006 21:51:26 +0100, <affiliateian@gmail.com> wrote:

>
> J.O. Aho wrote:
>> It's not true, if you allow users to enter a FROM field which you the=
n
>> directly without any filtering do assign to the mail() functions four=
th =

>> input
>> variable, then they can use CC and BCC to send the mail to whom ever =
=

>> they want.
>
> Hey JO, let me do more reading on your link:
> http://www.php.net/manual/en/function.mail.php
>
> As for injecting CC and BCC headers, can I manually set my headers in
> the php script with no addresses in the cc field. Would this help?
> $headers .=3D 'Cc:' . "\r\n";

I must say i'm not 100% sure what will happen, but I suspect that it won=
't =

prevent anything at all.


> Basically, trying to tell the script NOT to cc ot bcc anyone even thos=
e
> spammers could be trying to push this content through. Does that make
> sense?

The best and most sure what will happen is to remove the \r\n, cc: and =

bcc:, then you will have a long line instead of the many that the spamme=
r =

tried to use, the from: address will look quite strange, but at least th=
e =

spam won't be sent to anyone else.

$mailheader=3Dexplode('\r\n',$fromfield);

then you have to only pick out the right header from the array $mailhead=
er =

and only use that one, one way is to look for the first cell in the arra=
y =

that don't have a ':' in it and use it as the from address.


//Aho

[Back to original message]