Thread: PHP mail function - Header security?
View Single Post
Old 05-15-2008, 02:08 AM   · #9
qbert220
NamePros Member
 
qbert220's Avatar
 
Location: UK
Trader Rating: (22)
Join Date: Jul 2007
Posts: 119
NP$: 205.00 (Donate)
qbert220 is a jewel in the roughqbert220 is a jewel in the roughqbert220 is a jewel in the rough
Originally Posted by pchip
$headers = 'From: contact@xyznet' .
'Received: contact@xyznet' .
'Reply-To: contact@xyznet' . "\r\n";



You need "\r\n" after each header line, so it should look like:

Code:

$headers = 'From: contact@xyznet' . "\r\n" .
    'Received: contact@xyznet' . "\r\n" .
    'Reply-To: contact@xyznet' . "\r\n";


Be very very careful if you are allowing any user input (GET, POST, COOKIE etc) to affect the arguments to your mail function call. Obviously allow a user to set the "to:" field would be bad. A common spammer trick is to put "\r\n" into a "subject:" or "from:" field. The mailer then takes the part after the "\r\n" as a new header (which could be a "to:" , "cc:" or "bcc:" header) and can be used to abuse the form. Many (most?) hosts will protect against this type of attack now, but there is a chance that yours (or someone elses if you give the script to them) will not.


Please register or log-in into NamePros to hide ads
qbert220 is offline   Reply With Quote
Site Sponsors
Click to Watch Instant Video http://www.mobisitetrader.com/ EscrowDNS
Advertise your business at NamePros
All times are GMT -7. The time now is 09:33 PM.

Advertise At NamePros - Contact Us - NamePros.Com - Archive -Privacy Statement -Top

Powered by: vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.