Blog Compass Lite 2.0 - personal blog About Me Album Bookmarks

Monday, April 09, 2007

PEAR Mail cannot send mail with form POST sender address

Email Injection - SecurePHP.

Problem Scenario:

Constructing a PHP email enquiry form. User can post their names and reply email address in HTML form. Feeding $_POST[sender_name] <$_POST[sender_email]> as the $from field in PEAR mail, an error returned and the email cannot be sent.

Such problem does not occur if feeding static string as the $from field.


This is not a problem at all. PEAR mail is deliberating blocking this to avoid user feeding in cc and bcc information in the sender field, causing injection attacks and spamming.