Posted by ZeldorBlat on 09/11/07 22:20

On Sep 11, 2:56 pm, Tha RagMan <wmercier.nos...@shelby.net> wrote:
> On Tue, 11 Sep 2007 17:42:34 -0000, ZeldorBlat <zeldorb...@gmail.com>
> wrote:
>
> >this script can easily be used by spammers to send mail wherever they like.
>
> ZeldorBlat;
> My sincere thanks and appreciation for your info and and above
> caution. I followed your instructions and the script worked perfectly.
> To that extent I am delighted. You have raised a concern though
> concerning the Script being vunerable to Spammers. Is there any easy
> fix to avoid this, as I certainly don't need anyone creating spam
> problems for me. I utilize these scripts in probably 20 forms and this
> is a real concern. Is there another program simular to what I am
> currently using that will spit out scripts that are secure to avoid
> this worry or possibly some code that would handle the security issue?
> I moved from *.cgi formmail for this very reason and now it seems I am
> right back where I started.
>
> Many thanks again for your help and assistance. I am truly grateful.
> Tha RagMan

I'm not sure why they use addslashes() here:

@$Name = addslashes($_POST['Name']);
@$Email = addslashes($_POST['Email']);
@$Comments = addslashes($_POST['Comments']);

since the data isn't going to a database that uses slashes to escape
things. Even if it was going to a database, there are better ways to
do that.

To prevent spammers from hijacking your form you just want to make
sure that anything going into the headers doesn't have a \n or \r in
it. In your case you want to check the value of $email, since that's
mainly what you're putting into headers. All you really need to do is
replace:

@$Email = addslashes($_POST['Email']);

with

@$Email = str_replace(array("\r", "\n"), ' ', $_POST['Email']);

That will simply replace any instances of \r or \n with a space and
prevent header injection.

[Back to original message]