spod.cx

PHP Rant: Email Header Injection

Anyone who uses PHP, please, please remember the importance of validating your form input. Of course, this applies to other languages too, but PHP users tend to be the worst for this...

Leaving the evils of register_globals for an entirely separate rant, consider the example code below:

$mailto = "person@example.com";
$mailsubject = "Contact Form";
$xHeaders = "From: $mailfrom";
mail ( "$mailto", "$mailsubject", "$mailbody", $xHeaders );

In this example, even though you're setting the 'To' address, any spammer can set the value of 'From' to 'spammer@domain.com\n To:spamvictim@other.com' and the form will happily sent out the spam to whoever they like.

Please validate form variables. A simple check for "valid" email address characters here would solve the problem.


Contact: site@spod.cx