|
Posted by J.O. Aho on 02/28/07 21:40
rcoan@chaparralboats.com wrote:
> Ok, now on to security measures.... Could someone explain to me what
> this code does, how it secures the emails and where in my code I
> should implement it?
I'll make a try... I guess Steve will say something if I don't manage...
> $emailInput = array($to, $from, $cc, $bcc, $subject, $message);
The $emailInput is an array of all the data sent with the form, I think
the variables do explan themselves quite well.
> $injections = array('to', 'from', 'cc', 'bcc');
Here we create another array with mail headers that often is injected, I
think I would have included 'replay-to' to the array too.
> foreach ($emailInput as $input)
foreach works kind of like a for loop, it loops throe the $emailInput
array, each cell will have a temporary alias $input.
> {
> foreach ($injections as $injection)
This works the same way, but this is for the headers that could have
been injected. This is a loop inside another loop.
> {
> $input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
> $input);
here we tell that we want to replace the header that is injected with an
empty string, the source is the $input (alias for a cell in
$emailInput), and store it back without the injected headers.
> }
>
> }
When you are here, the $emailInput has been cleared from To:, From:, Cc:
and Bcc: headers that someone may have injected with the use of the form.
list($to, $from, $cc, $bcc, $subject, $message) = $emailInput;
Here we store the values back into the variables you had in the
beginning, but now without the injected headers.
--
//Aho
[Back to original message]
|