Home > Archive > PHP Language > October 2006 > Worrying about email injection attacks
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Worrying about email injection attacks
|
|
|
| A bit new to php and security considerations and  over magic quotes,
stripslashes, escape, unescape etc etc.
But, can someone either confirm for me or not whether you can get an
injection attack into the actual message part of an e-mail?
My plan for my contact form will be to just put everything into the message
and not use the header parameter in the mail() function at all.
So the $_POST['email'] from the form goes into "EMail: $email" in the
MESSAGE.
Is that safe or still vulnerable? Do I need to get my head round all the
escaping and magic quotes or not??
Dave
| |
|
| On Fri, 20 Oct 2006 14:38:23 +0100, "Dave" <dave5398@btinternet.com>
wrote:
>A bit new to php and security considerations and over magic quotes,
>stripslashes, escape, unescape etc etc.
>
>But, can someone either confirm for me or not whether you can get an
>injection attack into the actual message part of an e-mail?
Confirmed that you cannot do it. The practice generally known as
header injection is named as such because the injection must take
place inside the headers. Once the header block completes and the
message body begins, it's impossible to do anything that will alter
the destination of the message.
>My plan for my contact form will be to just put everything into the message
>and not use the header parameter in the mail() function at all.
>
>So the $_POST['email'] from the form goes into "EMail: $email" in the
>MESSAGE.
>
>Is that safe or still vulnerable? Do I need to get my head round all the
>escaping and magic quotes or not??
That's safe.
hth
-
Remove mypants to email.
<http://www.shaunc.com/>
|
|
|
|
|