Posted by Bill H on 10/28/07 19:22

Jerry:

I'm not sure I understand the responses. It appears:

1) the script is safe because no user input is used in the header.
2) the script is safe because no user data is passed into the script or
database,
3) javascript shouldn't be used as an error trapping technique, although it
is safe

I don't validate the user input because I don't really care if the input is
valid or not; almost everyone who use the page gives good information since
they're asking us for something.

So, the script is safe but it would be wise to hire someone to build a
better script with proper error handling. Is this about correct?

Thanks,

Bill

"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:CNCdnTTVatATNL7anZ2dnUVZ_r2nnZ2d@comcast.com...
> Bill H wrote:
>> I've changed our web site to use a simple PHP script to send a demo
>> request to our sales office. We use Postfix and everything is set up
>> properly and works fine. I've been informed there are some security
>> issues to review.
>>
>> The script looks like:
>>
>> <html>
>> <head><title>PHP Mail Sender</title></head>
>> <body>
>> <?php
>>

[snipped]

>> }
>> ?>
>> </body>
>> </html>
>>
>> The main issue I'm wondering about is if I control the to and from
>> address and header information for the mail, as I do above, is it
>> possible to inject something else into the email to hijack the mail
>> server?
>>
>> Thanks,
>>
>> Bill
>
> Well, you're placing anything in the header which comes from the user
> (i.e. from address, subject, etc.), so in that respect your script is
> safe.
>
> However, just to be safe, you should verify the data input by the user.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================
>

[Back to original message]