Rhonda's Blog                    
Mainpage Disclaimer

Fri, 10 Feb 2006

PHP mail() Considered Harmful

I know for myself that picking up unparsed userdata is teh evil. But we also all know that the usual webpage and mailer script coder isn't thinking. And to my knowledge the php mail() function is the only one that perverted to parse the headers additional to an explicit given recipient list for additional recipients. Yes, you read right. Often enough people use things like mail("myown@addre.ss", "subject", $body, "From: $_POST['name'] <$_POST['email']>") without thinking about it, because, there is this extra to field anyway. Right?
Wrong! SPAMers will come and send things like email="some@jo.ke\nBcc: my@sp.am, list@is.bigg.er, than@you.rs". People that put up such webmail scripts usually don't notice it anyway, they just delete the spam right ahead, not noticing that it was an abuse of their form. And the ISP has to deal with having to get the system out of the blacklists again....

At least none of the hosts on which customers are able to put up such scripts directly affect our own mail system, it's just the shared hosts they use... Still, deadly annoying. And then people are claiming that such misfeatures aren't a problem in PHP but in the coders? If it would at least be documented in the description of the function, but if one can claim it that it is it's at most just very vague hinted...

/debian | permanent link | Comments: 0

Trackbacks are closed for this story.

Comments are closed for this story.

If you want to syndicate this blog, feel free to do so.
This list contains the feeds that I follow:

Sun Mon Tue Wed Thu Fri Sat
22 23 24 25 26 27 28
29 30 31        

JulAug Sep
Oct Nov Dec

©opyright 1999++ by Rhonda
[rss feed]

[html by vim] [graphics by gimp]

[generated by wml]

[powered by blosxom]