Hi Bob,
I substitute a * for any invalid character:
$raw = preg_replace('/[EMAIL PROTECTED]/', '*', $raw);
Trim, lowercase and max length done first.Then when I check the email format, it throws it out. But, if you're already doing this, they must be bypassing your checking routine? If you record them, it would be interesting to see what they're putting in, so it can be stopped. Bob E. ----- Original Message ----- From: "Bob Sawyer" <[EMAIL PROTECTED]> To: "PHP List" <php-list@yahoogroups.com> Sent: Friday, April 28, 2006 1:44 AM Subject: [php-list] Blocking PHP insertion into mail() routines > Some spammer has figured out that a form on our site is ripe for > inserting their own headers and what-not into, despite my best efforts > to prevent that sort of thing. How can I shore up and secure the mail() > routine in my script so that this kind of thing is stopped? > > My script checks for \r and \n chars that might be inserted into the > "To", "From", and other common header fields. If that char is found, it > exits the script. It also checks the email address against a regex for > unallowed characters and malformed addresses. Yet, the spam is still > coming through. > > Can anyone recommend a surefire way of blocking these insertions? > > Thanks, > Bob > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > Community email addresses: > Post message: php-list@yahoogroups.com > Subscribe: [EMAIL PROTECTED] > Unsubscribe: [EMAIL PROTECTED] > List owner: [EMAIL PROTECTED] > > Shortcut URL to this page: > http://groups.yahoo.com/group/php-list > Yahoo! Groups Links > > > > > > Community email addresses: Post message: php-list@yahoogroups.com Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
