homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

Security of the mail() function

 11:09 pm on Jan 22, 2008 (gmt 0)

I am reviewing some of the form scripts on our site while also studying some topics regarding injected headers for security.

One thing I don’t quite understand and hopefully someone can shed some light on it.

If my mail() variables are all hardcoded, for instance the to, subject and body how could a spammer send out a completely different email message to recipients?

Wouldn’t the spammers recipients get an email which had my hardcoded subject and body?



 12:24 pm on Jan 23, 2008 (gmt 0)

Be careful about the headers (From: etc) - those too need to be hardcoded and are the most frequently abused part.


 6:23 am on Jan 25, 2008 (gmt 0)

If a spammer is sending out a different message to your recipient list, it most likely means he/she has hijacked your email list via other methods.

Doing full fledged injection attacks requires a decent amount of knowledge about your existing code.


 3:53 pm on Jan 25, 2008 (gmt 0)

I do believe our scripts are secure and kinda figured that most hard-coded script forms would be more difficult to abuse. Myself and one other person are the only two who know how the form/variables/process works.

An interesting idea, just like Apache logs ind. processes, it would be interesting to log ind. php functions. You could then review your "php-mail" log to scan for abuse...


 10:50 pm on Jan 25, 2008 (gmt 0)

You can do that. An easy way would be to error_log [php.net] during your mailing routine.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved