If I don't include "headers" in the mail()

Forum Moderators: coopster

Message Too Old, No Replies

If I don't include "headers" in the mail()

Do i still have to worry about header injection?

someone

6:09 pm on Mar 15, 2007 (gmt 0)

This is all I need: mail($recipient, $subject, $message);

I don't need to know anything about the header information. Can I get away with validation to prevent header injection?

coopster

3:38 am on Mar 16, 2007 (gmt 0)

That's not validation, that's merely using a built-in function. You may need to validate your other variables though. For instance, you could parse the $recipients variable and make certain that each contains a valid email address, etc. If you are uncertain as to how you might want to approach validation for each of these variables, you might want to pull down the PEAR mail module and have a look at the source to see how they are handling it.

someone

4:16 pm on Mar 16, 2007 (gmt 0)

Hi coopster, I understand that mail() is just a function. Usually, I would include the "headers" parameter in mail() for the from field,

$headers = "From: $from";

and $from is a $_POST variable from a form.

In that case, I was told that I have to validate $from to prevent email header injection.

But this time, I don't plan to include the "headers" parameter in the mail function. All I need is just mail($to, $subject, $message); Now in this case, do I still have to worry about header injection?

Habtom

10:44 am on Mar 17, 2007 (gmt 0)

Though I am not sure about the injection, you might need the header as emails sent without header (based from my exp) tend to go to the spam folder or never appear.

Habtom