MadTechie

it works like this (from IE) example 1 <input type='hidden' name='login' value=hello> Works example 2 <input type='hidden' value=hello name='login'> Works example 3 <input type='hidden' value=hello world name='login'> technically it still works.. if you look back at example 2 it sends "hello" not "hello name=" so to tell the form its sending the correct data you enclose it in quotes.. like this <input type='hidden' value='hello world' name='login'> as a side note i don't think the examples above will work in firefox but will in IE also all of these were untested..

i'll have a dig around.. i think the project have been archive, i will take a look when i get home

the 2nd has |CR||CR||CR||LF|, yes, theirs probably another way but i don't know what you VB App does! see my first post!

Not really!.. why not have a loading screen, then flush the page and start the analyzing process, then you could re-direct or wharever!

thats the part i am unsure of.. the use of the unicode has made it harder to work out if it will filter, best thing to do it try it

Yep, just giving you the heads up

add $line1=htmlentities(stripslashes($line1), ENT_QUOTES); $line2=htmlentities(stripslashes($line2), ENT_QUOTES); before you use them so before the mail(

My solution was a script that wrote a an iframe containing a form with the element type file,

See this is what i was saying before you love correcting me LOL JK

they use frames

you can also use it at the start of the body/message (header), but if the %0A is filtered then you should be fine.

try this. echo htmlentities(stripslashes($line1), ENT_QUOTES); also what thorpe is saying it true, you have a filter somewhere, that added the slashes (probably addslashes)

forgot to say: I cheated i used a frame to do something closes to this, but i'll love to replace it with a fully AJAX system..

Erm.. i didn't think AJAX could do $_FILE requests, but only POST & GET! but i'll have a read as well!

Preload will be javascript not PHP... what exactly you trying to preload

try this <?php echo stripslashes($line1); ?> stripslashes()

lol, you could said that in the first post, the more details we have to play with the better the responce, word of warning about sessions, you MUST have session_start(); at the start of the page BEFORE sending any text/data to the screen, ie (this will fail) echo "ahhh"; //<-- bad line session_start(); $_SESSION['a'] = 'dog'; echo "<a href='b.php'>b</a>";

if someone enter something like this if the from field ME@domain.com%0ACc:victim@hotmail.com the message Cc to victim@hotmail.com as well if you wish to keep some tags you could use strip_tags and exclude some ie $html = strip_tags($html, '<b><i><u>'); i'll admit i always forgot that function, (too much playing with regex)

first the URL's are not correctly crafted ie a space should be %20, plus the GET has a limit if it seam like the page isn't getting the request then add print_r($_GET) to the start to check.. it would seam to me that he problem is in the VB itself! why are you using PHP for this ? VB can talk directly to MySQL ???

and or read the pinned header problem thread here

it looks fine, but i am unsure when it comes to unicode and protection add this $email = preg_replace('/%0A/', '', $email); before sending will kill a few attemps at header injection

i assume the firefox in one the same pc as apach, my first suggestion would be check it in IE see if its the same, if not then check the firefox addons (tools->addons)

what are you trying to do ? whats the final goal? what do you mean by second one ? use file_get_contents

remember you have different types of protections 1. spammers 2. what the contents has (ie script)

thats not really hackers but spammers, the header should be ofcourse filtered, as the spammer could inject a new "from: " header but adding the "\\r\\n" will not protect you.. bascially the email strict fully valid email name & subject must be A-Z0-9 the body your need to filter the above post and probably remove (%0A)