Security Question
From: Jim McCree (jmcree_at_somewhere.net)
Date: 01/30/05
- Next message: DaRemedy: "Re: Poll and filesize help"
- Previous message: roll: "need help with timestamp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 30 Jan 2005 09:54:20 -0500
I have a simple feedback-like form with 3 fields.
When the form is posted, the data from the form is sent directly to an
e-mail address using the mail function:
- $to and $subject are hardcoded
- $formfield1, 2, 3 come from the form, without any "cleansing" and
are used to create the message body.
// construct mail
$to = "blah@blah.com";
$subject = "Blah";
$message = sprintf('Field1 = %s\nField2 = %s\nField3 = %s',
$formfield1, $formfield2, $formfield3);
// send it
mail($to, $subject, $message);
Since I'm not sending the data to the database, it doesn't make sense
to safe escape quotes, otherwise I'll see things like "Joe\'s Bar"
showing up in the e-mail.
My question is, is there any way that something like this could be
exploited by a client?
Jim
- Next message: DaRemedy: "Re: Poll and filesize help"
- Previous message: roll: "need help with timestamp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
