GSTAR
(Omzy83)
December 18, 2009, 11:57am
1
Is this sufficient or do I need to do anything else?
$to=$sendToFriend->friendemail;
$subject="Your Friend Recommended This Page";
$body="View Page: ".$sendToFriend->link;
$headers="From: ".$sendToFriend->username." <".$sendToFriend->useremail.">";
mail($to,$subject,$body,$headers);
bsander
(Sanderb)
December 18, 2009, 12:10pm
2
As long as you validate all user input (CEmailValidator, CUrlValidator, etc.) I think you should be fine.
GSTAR
(Omzy83)
December 18, 2009, 12:16pm
3
Well this is what I have in my validation rules:
array('username', 'length', 'min'=>'3'),
array('username, useremail, friendemail', 'required'),
array('useremail, friendemail', 'email'),
GSTAR
(Omzy83)
December 18, 2009, 12:17pm
4
I’m basically trying to prevent header injection attacks as detailed here:
GSTAR
(Omzy83)
December 18, 2009, 3:01pm
5
Anyone able to advise regarding the above query?
notzippy
(Notzippy)
December 18, 2009, 4:13pm
6
By allowing the user to specify the "from" and placing that information in the header you open yourself to this type of attack. The simple solution is NOT to put anything in the header, instead put it all in the message body
nz
GSTAR
(Omzy83)
December 22, 2009, 3:21pm
7
^ I’m not too convinced that is the best solution…
If you look at that link I’ve posted above it mentions a few applications that are not affected by this problem.
Because we are just using standard php mail() function I assume Yii does not provide any additional protection here?