Re: query string passing woes........ help... please....

rcoan@xxxxxxxxxxxxxxxxxx wrote:

Ok, now on to security measures.... Could someone explain to me what
this code does, how it secures the emails and where in my code I
should implement it?

I'll make a try... I guess Steve will say something if I don't manage...


$emailInput = array($to, $from, $cc, $bcc, $subject, $message);

The $emailInput is an array of all the data sent with the form, I think
the variables do explan themselves quite well.


$injections = array('to', 'from', 'cc', 'bcc');

Here we create another array with mail headers that often is injected, I
think I would have included 'replay-to' to the array too.

foreach ($emailInput as $input)

foreach works kind of like a for loop, it loops throe the $emailInput
array, each cell will have a temporary alias $input.

{
foreach ($injections as $injection)

This works the same way, but this is for the headers that could have
been injected. This is a loop inside another loop.

{
$input = preg_replace("/n?" . $injection . "\s*?:.*?\n/i", '',
$input);

here we tell that we want to replace the header that is injected with an
empty string, the source is the $input (alias for a cell in
$emailInput), and store it back without the injected headers.

}

}

When you are here, the $emailInput has been cleared from To:, From:, Cc:
and Bcc: headers that someone may have injected with the use of the form.

list($to, $from, $cc, $bcc, $subject, $message) = $emailInput;

Here we store the values back into the variables you had in the
beginning, but now without the injected headers.

--

//Aho
.