Reply to Re: mail function-new line-security

Your name:

Reply:


Posted by "A.J. Brown" on 09/28/05 15:54

I think you're thinking of "spam injection" through register_globals. If
so, yes it is vulnerable.

You need to force the variable data to come from the $_POST variable:

[code]

$name = $_POST['name'];
$phone = $_POST['phone'];
$user_mail = $_POST['user_mail'];
$my_email = $_POST['my_email'];

$usermailmsg =
"This is the information you submitted.\n
If this is not correct, please contact us at mailto:$my_email.\n\n
Name: $name\n
Phone: $phone\n

....
Please feel free to write us with any comments or suggestions so that we may
better serve you.\n
mailto:$my_email\n\n";

mail("$user_mail", "$subject", "$usermailmsg", "$headers");

[/code]
--

Sincerely,

A.J. Brown


""Peppy"" <peppy@foxedge.net> wrote in message
news:00b601c5c3b0$b6b78cb0$990bfd04@foxak...
I have been working on making my contact forms more secure. In my research,
the occurence of the new line character \n at the end of the $headers
variable in the mail function seems to be a security risk and opens one up
to injection of spam email. This part I understand. I have been unable to
find out this same information about the message variable.

If I have a variable defining the message like this, can I use the new line
character or am I opening myself up to more spam injection.

$usermailmsg =
"This is the information you submitted.\n
If this is not correct, please contact us at mailto:$my_email.\n\n
Name: $name\n
Phone: $phone\n
....
Please feel free to write us with any comments or suggestions so that we may
better serve you.\n
mailto:$my_email\n\n";

mail("$user_mail", "$subject", "$usermailmsg", "$headers");

Thanks in advance for any help.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация