There is no substitute for good data verification such as strip_tags() or
some regular expressions to limit valid input. I also would recomend
checking the referrer to be sure someone doesn't hijack you form and try to
modify it and submit it from a remote location. Here is an example:

if (validReferrer() === false)
 die("invalid referrer");

function validReferrer()
{
 $_valid_referrers =
array("www.yoursite.com","www2.yoursite.com","yoursite.com");
 $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']);
 $ref = explode('/', $referer);
 if ( in_array($ref[1], $_valid_referrers) )
  return true;
 else
  return false;
}

Jim Grill
Support
Web-1 Hosting
http://www.web-1hosting.net
----- Original Message -----
From: "Dennis Gearon" <[EMAIL PROTECTED]>
To: "Bob Lockie" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Saturday, July 27, 2002 10:54 PM
Subject: Re: [PHP] php 'mail()' security


> What I meant was, how to sanitize the input on the forms so that
> malicious stuff cannot be put as commands, etc. in the email address, or
> body, or 'extra' field of the 'mail()' function in PHP.
> --
> -----------------------------------------------------------------
> Joy is just a thing (to be).. raised on,
> Love is just the way to Live and Die,
> John Denver.
> -----------------------------------------------------------------
> He lost a friend, but kept his Memory (also John Denver),
> Thank you...John Corones...my friend always.
> -----------------------------------------------------------------
> Look lovingly upon the present,
> for it holds the only things that are forever true.
> -----------------------------------------------------------------
> Sincerely, Dennis Gearon (Kegley)
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to