Is this sufficient or do I need to do anything else?
$to=$sendToFriend->friendemail;
$subject="Your Friend Recommended This Page";
$body="View Page: ".$sendToFriend->link;
$headers="From: ".$sendToFriend->username." <".$sendToFriend->useremail.">";
mail($to,$subject,$body,$headers);
As long as you validate all user input (CEmailValidator, CUrlValidator, etc.) I think you should be fine.
Well this is what I have in my validation rules:
array('username', 'length', 'min'=>'3'),
array('username, useremail, friendemail', 'required'),
array('useremail, friendemail', 'email'),
I’m basically trying to prevent header injection attacks as detailed here:
Anyone able to advise regarding the above query?
By allowing the user to specify the "from" and placing that information in the header you open yourself to this type of attack. The simple solution is NOT to put anything in the header, instead put it all in the message body
nz
^ I’m not too convinced that is the best solution…
If you look at that link I’ve posted above it mentions a few applications that are not affected by this problem.
Because we are just using standard php mail() function I assume Yii does not provide any additional protection here?