First, look at the PHP code from the previous chapter:
<>
<>
< ?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "< method="'post'" action="'mailform.php'">
Email: < name="'email'" type="'text'"><>
Subject: < name="'subject'" type="'text'"><>
Message:<>
< name="'message'" rows="'15'" cols="'40'">
< /textarea ><>
< type="'submit'">
< /form >";
}
? >
< /body >
< /html > |
The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
What happens if the user adds the following text to the email input field in the form?
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com |
The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
