PHP Security: Sending an emailIn

PHP Security: Sending an emailIn
this tutorial we'll speak about the dangers mail() brings with it.


You probably wouldn’t expect it, but the well known function mail() is a often a goldmine for spammers. In this tutorial we’ll talk about the danger of using mail() in your PHP powered website.

Much websites have sorts of email forms. But what much of the webmasters don’t know, is that with some code you can turn that simple form into a spammers base! When you have a field that should contain the email address of the sender, or receiver. The spammer could send additional data in the email, because the sender and receiver are stored into the header of an email. Basically what this means is that the spammer could change the email into an email that is send to numerous people, and contains spam!
I will cut the example because you need to understand some email protocol. (or API whatever you want to call it)

The remedy

The remedy is again very easy. The only thing you should do is check if the user has added a newline (\n) or carriage return (\r) into one of the email addresses.

The way most people do it is like this:

code
1.

Some other way people do it:

Code
1.

The function chr() returns a string value from the ascii number in the function argument. Ascii number 12 is newline (\n) and 15 is carriage return (\r). So these few lines replaces the 2 unwanted ascii values into.. Nothing..