HTTP_REFERRER can be spoofed quite easily with some browsers. The best way to handle this is to provide as much of your own data as possible, and validate anything you do end up using from the user.
For instance, use your own subject, make sure the To: address comes from you (a file or database, whatever), etc... Make sure anything coming from the user, that you put into the headers, subject, from, reply-to, etc... do not have any line breaks. A simple str_replace or something to remove them, or pop up an error if they are there, will work. The less user data you can use the better. It gives them less of a chance to insert extra headers, which is pretty much the only threat. If there's a possibility of the email not being shown as plain text, then you'll want to use striptags() like others mentioned. ---John Holmes... > -----Original Message----- > From: Tech Support [mailto:[EMAIL PROTECTED]] > Sent: Sunday, July 28, 2002 10:57 AM > To: Dennis Gearon; Bob Lockie > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] php 'mail()' security > > There is no substitute for good data verification such as strip_tags() or > some regular expressions to limit valid input. I also would recomend > checking the referrer to be sure someone doesn't hijack you form and try > to > modify it and submit it from a remote location. Here is an example: > > if (validReferrer() === false) > die("invalid referrer"); > > function validReferrer() > { > $_valid_referrers = > array("www.yoursite.com","www2.yoursite.com","yoursite.com"); > $referer = str_replace('//', '/', $_SERVER['HTTP_REFERER']); > $ref = explode('/', $referer); > if ( in_array($ref[1], $_valid_referrers) ) > return true; > else > return false; > } > > Jim Grill > Support > Web-1 Hosting > http://www.web-1hosting.net > ----- Original Message ----- > From: "Dennis Gearon" <[EMAIL PROTECTED]> > To: "Bob Lockie" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Saturday, July 27, 2002 10:54 PM > Subject: Re: [PHP] php 'mail()' security > > > > What I meant was, how to sanitize the input on the forms so that > > malicious stuff cannot be put as commands, etc. in the email address, or > > body, or 'extra' field of the 'mail()' function in PHP. > > -- > > ----------------------------------------------------------------- > > Joy is just a thing (to be).. raised on, > > Love is just the way to Live and Die, > > John Denver. > > ----------------------------------------------------------------- > > He lost a friend, but kept his Memory (also John Denver), > > Thank you...John Corones...my friend always. > > ----------------------------------------------------------------- > > Look lovingly upon the present, > > for it holds the only things that are forever true. > > ----------------------------------------------------------------- > > Sincerely, Dennis Gearon (Kegley) > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
