Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Security of the mail() function



11:09 pm on Jan 22, 2008 (gmt 0)

10+ Year Member

I am reviewing some of the form scripts on our site while also studying some topics regarding injected headers for security.

One thing I don’t quite understand and hopefully someone can shed some light on it.

If my mail() variables are all hardcoded, for instance the to, subject and body how could a spammer send out a completely different email message to recipients?

Wouldn’t the spammers recipients get an email which had my hardcoded subject and body?


12:24 pm on Jan 23, 2008 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Be careful about the headers (From: etc) - those too need to be hardcoded and are the most frequently abused part.


6:23 am on Jan 25, 2008 (gmt 0)

5+ Year Member

If a spammer is sending out a different message to your recipient list, it most likely means he/she has hijacked your email list via other methods.

Doing full fledged injection attacks requires a decent amount of knowledge about your existing code.


3:53 pm on Jan 25, 2008 (gmt 0)

10+ Year Member

I do believe our scripts are secure and kinda figured that most hard-coded script forms would be more difficult to abuse. Myself and one other person are the only two who know how the form/variables/process works.

An interesting idea, just like Apache logs ind. processes, it would be interesting to log ind. php functions. You could then review your "php-mail" log to scan for abuse...


10:50 pm on Jan 25, 2008 (gmt 0)

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

You can do that. An easy way would be to error_log [php.net] during your mailing routine.

Featured Threads

Hot Threads This Week

Hot Threads This Month