Page is a not externally linkable
whoisgregg - 10:35 pm on Jul 1, 2006 (gmt 0)
A false positive will occur if the user legitimately includes any of those text strings in the message. You can search for those terms only if they occur at the beginning of a new line, but for simplicity's sake I didn't include such a check in my sample pseudo code. For example, this message would trigger a false positive (which would frustrate the customer), even though it is not an injection attempt:
how can we be sure that it will not result in a false/true or true/false
So you probably want to do a better, specific search for the injection code with a "\r\n" before it. (Which may be as simple as adding that to the array in my sample code, dunno -- haven't tested it. Can strpos find "\r\n?")
|
The headers are "injected" through the message parameter so if you allow user input to be included there, then whether the message parameter comes from a variable assignment or from a defined constant wouldn't make a difference. At least, I don't think it would... to be honest I only discovered what Constants were for a couple weeks ago. :/