Php Security

[dazmond]

Hello

 

Just a quick question, i was reading the latest email form TCH about the spam abuse through php email scripts, i did have a php script on my account and i am unsure if it was safe.

 

The script was accessed through a flash movie and was just up there for testing purposes, the script i used is as follows:

 

<?php

 

$to = 'david@example.com';

$subject = 'Feedback from Flash site';

 

 

$message = 'From: '.$_POST['from']."\n\n";

$message .= 'Email: '.$_POST['email']."\n\n";

$message .= 'Address: '.$_POST['snail']."\n\n";

$message .= 'Phone: '.$_POST['phone']."\n\n";

$message .= 'Comments: '.$_POST['comments'];

 

$additionalHeaders = "From: Flash feedback<feedback@example.com>\n";

$additionalHeaders .= "Reply-To: $_POST";

 

 

$OK = mail($to, $subject, $message, $additionalHeaders);

 

if ($OK) {

echo 'sent=OK';

}

else {

echo 'sent=failed&reason='. urlencode('There seems to be a problem with the server. Please try later.');

}

?>

 

As i said preveouely, the post arrays are sent via a flash movie is this script left open to abuse if left on my account (i'v taken it down just incase).

 

if so

SORRY

 

any help would be fantastic.

thanks

Daz:)

[TCH-Bruce]

Looking at your script I would say that it is NOT safe from header injection.

 

Even though you have flash posting the data anyone that finds your script could pass data to it without using your flash form.

 

You can read up on Email Injection.

[dazmond]

Right, if i amended the script as follows:

 

$additionalHeaders = "From: Flash feedback<feedback@example.com>\n";

if (eregi("\r",$additionalHeaders) || eregi("\n",$additionalHeaders)){

die("Why ?? ");

}

 

and then saved it within the private folder of my hosting space would that resolve the problem (i'm just learning php as you may have guest ha).

 

thanks you darren