php mail() remove CC, BCC and security
Question
I'm new to stackoverflow and couldn't find an answer to my question which is; How do I secure my mail() code in php to prevent people from adding bcc which would ultimatly result in mass mailing? My website uses the PHP mail() service to email me when a new comment has been entered in my site. What is the best way to prevent people tampering with it, such as removing the bcc? What I have so far is:
function mres($input){
if (get_magic_quotes_gpc()){
$input = stripslashes($input);
}
return mysql_real_escape_string($input);
}
$name = strip_tags(mres($_POST['name']));
$comment = strip_tags(mres($_POST['comment']));
$to = 'myself@gmail.com';
$subject = 'Website - comment';
$body = 'A new comment has been entered on the website.'."\n\n"."$name".' said: '."\n\n"."$comment";
mail($to,$subject,$body);
2 answers
solution1
0 2012-09-07 21:46:10
I would look at something like http://mailgun.com/
As it is, your mail will often end up in people's spam if you just use mail()
solution2
0 ACCPTED 2012-09-07 21:48:59
Assuming that this code is followed by:
mail($to, $subject, $body);
Then it's safe, if overkill -- the only arguments to mail() which are vulnerable to injection are the ones that control header fields ( $to , $subject , and $additional_headers ). strip_tags and mysql_real_escape_string are both unnecessary, and the latter will make apostrophes show up as \\' in your email.
If there's no following call to mail() , then it's trivially safe, because it doesn't do anything. :)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.