|
Posted by Curtis on 01/13/07 13:38
Chuck Anderson wrote:
<snip>
> I post the form to send_the_email_contact.php where I have the following
> test:
>
> if(preg_match('`[\r\n]`',$_POST['subject']))
> {
> exit ('injection attempt ');
>
> }
<snip>
You don't necessarily have to stop processing when validating mail
headers. You can easily strip out any CRLFs
<?php
$safeHeader = str_replace(array("\r","\n"), '', $_POST['subject']);
// strips out \r and \n, leaving the rest intact
?>
Curtis
[Back to original message]
|