Posted by Lisa Pearlson on 11/11/05 17:04

They can also inject stuff in the "Subject" line..

You should run your name, e-mail and subject lines through a test function
like mine:

function isUnsafe($str)
{
if (eregi('Content-Type', $str))
return true;

if (eregi('multipart/mixed', $str))
return true;

if (eregi('bcc:', $str))
return true;

return false;
}

Probably isn't sufficient, but the "Content-Type" and "multipart" stuff is
dangerous.

You should also hardcode the headers yourself with "Content-Type:
text/html".

HTH
Lisa


"Simon" <spambucket@example.com> wrote in message
news:3tjbrrFt8tb1U1@individual.net...
> Hi,
>
> I was looking at mail injection,
> http://securephp.damonkohler.com/index.php/Email_Injection
>
> And I was wondering if my mail(...) was safe.
>
> I ask in a form for
> 1 Name
> 2 Email address
> 3 Subject
> 4 Comment/Message
>
> I then build one message by putting all of the above together.
> So even if there was injection, it is all in the body of my message,
> right?
>
> I then use mail(...) as per normal with my hard coded "To:" and "Subject:"
>
> Is that a fairly safe way?
>
> How should I parse my form to prevent malicious code, (Script? eval?)
>
> Many thanks for your input.
>
> Simon
>
>
>
>

[Back to original message]