|
Posted by "A.J. Brown" on 09/28/05 15:54
I think you're thinking of "spam injection" through register_globals. If
so, yes it is vulnerable.
You need to force the variable data to come from the $_POST variable:
[code]
$name = $_POST['name'];
$phone = $_POST['phone'];
$user_mail = $_POST['user_mail'];
$my_email = $_POST['my_email'];
$usermailmsg =
"This is the information you submitted.\n
If this is not correct, please contact us at mailto:$my_email.\n\n
Name: $name\n
Phone: $phone\n
....
Please feel free to write us with any comments or suggestions so that we may
better serve you.\n
mailto:$my_email\n\n";
mail("$user_mail", "$subject", "$usermailmsg", "$headers");
[/code]
--
Sincerely,
A.J. Brown
""Peppy"" <peppy@foxedge.net> wrote in message
news:00b601c5c3b0$b6b78cb0$990bfd04@foxak...
I have been working on making my contact forms more secure. In my research,
the occurence of the new line character \n at the end of the $headers
variable in the mail function seems to be a security risk and opens one up
to injection of spam email. This part I understand. I have been unable to
find out this same information about the message variable.
If I have a variable defining the message like this, can I use the new line
character or am I opening myself up to more spam injection.
$usermailmsg =
"This is the information you submitted.\n
If this is not correct, please contact us at mailto:$my_email.\n\n
Name: $name\n
Phone: $phone\n
....
Please feel free to write us with any comments or suggestions so that we may
better serve you.\n
mailto:$my_email\n\n";
mail("$user_mail", "$subject", "$usermailmsg", "$headers");
Thanks in advance for any help.
[Back to original message]
|