Posted by moosus on 11/24/06 00:55

Flamer
- thanks 4 the reply

I do understand about code injection.

I guess the question was more "is it possible to inject onto 'string
message' parameter of the email function?

After a little bit more reading it looks like the answer is yes

cheers


in article 1164327053.961715.124960@l39g2000cwd.googlegroups.com, flamer
die.spam@hotmail.com at die.spam@hotmail.com wrote on 24/11/06 10:10 AM:

>
> moosus wrote:
>> G'day Guys,
>>
>> Do I need to worry about cleaning my $_POST[comments] field before using it
>> in a mail() function?
>>
>> Cheers
>> moosus
>
> you mean incase someone inserts malicious code into your web forms??
> yes you should use striptags(), look at http://www.php.net/striptags
> there are example scripts there that do a pretty good job of cleaning
> anything slightly malicious - striptags on its own isnt 100% surefire.
>
> Flamer.
>

[Back to original message]