December 18, 2009, 11:57am
Is this sufficient or do I need to do anything else?
$subject="Your Friend Recommended This Page";
$body="View Page: ".$sendToFriend->link;
$headers="From: ".$sendToFriend->username." <".$sendToFriend->useremail.">";
December 18, 2009, 12:10pm
As long as you validate all user input (CEmailValidator, CUrlValidator, etc.) I think you should be fine.
December 18, 2009, 12:16pm
Well this is what I have in my validation rules:
array('username', 'length', 'min'=>'3'),
array('username, useremail, friendemail', 'required'),
array('useremail, friendemail', 'email'),
December 18, 2009, 12:17pm
I’m basically trying to prevent header injection attacks as detailed here:
December 18, 2009, 3:01pm
Anyone able to advise regarding the above query?
December 18, 2009, 4:13pm
By allowing the user to specify the "from" and placing that information in the header you open yourself to this type of attack. The simple solution is NOT to put anything in the header, instead put it all in the message body
December 22, 2009, 3:21pm
^ I’m not too convinced that is the best solution…
If you look at that link I’ve posted above it mentions a few applications that are not affected by this problem.
Because we are just using standard php mail() function I assume Yii does not provide any additional protection here?