|
Posted by Gordon Burditt on 10/17/73 11:41
>$Name = $HTTP_POST_VARS['Name'];
>
>$email = preg_replace( '/[\r\n]/', '', $email );
>
>$email = $HTTP_POST_VARS['email'];
Anything the preg_replace call did, the above line undoes.
>$subject = "Message From us";
>$message = $HTTP_POST_VARS['comments'];
>
>if I added the second line - the form still works but that doesn't seem
>to fix the problem you mention above? or does it?
If someone is trying to abuse your web page, DO NOT SEND MAIL AT ALL.
And preferably the output result page should consist only of cusswords.
Or at least do not use any part of a tricked-up $email in the
headers. And preferably block any more accesses from that IP
address.
Gordon L. Burditt
[Back to original message]
|