Posted by Jerry Stuckle on 04/28/06 15:16

Martin Jay wrote:
> In message <XMednXc-99BGnM_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry Stuckle
> <jstucklex@attglobal.net> writes
>
>> Martin Jay wrote:
>>
>>> Okay, that's good.
>>> So in your HTML you'll have something like the:
>>> <select name="subject">
>>> <option value="Subject 1" SELECTED>Subject 1</option>
>>> <option value="Subject 2">Subject 2</option>
>>> <option value="Subject 3">Subject 3</option>
>>> </select>
>>> Just POST that off to your PHP script and then use the mail command:
>>> $subject = $_POST['subject'];
>>> /* It's probably a good idea to include this so you don't end up
>>> with \'
>>> and \" in the subject */
>>> $subject = stripslashes($subject);
>>> mail($to, $subject, $message);
>
>
>> Do this and you will be ripe for becoming a spam relay. At a minimum
>> you need to ensure there are no newline characters in the input.
>
>
> Please explain why.


Google "Email injection" for a lot more info. But basically - the user could
enter something like:

This is a spammer subject
bcc: john@example.com, tom@example.com

And so on. Quit easy to do - and used by a lot of spammers. Unsecured scripts
are used by a lot of spammers. Try another search on

spam formmail

And see what pops up.




--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]