Search the Community
Showing results for tags 'header injection'.
I created a script that takes info in the url (script.php?id=123), compares that number (123) to a database and gets more information about that person (name, etc.). The number also corresponds to their email address (email@example.com). The information is passed to an email script which is a contact form. The contact form only sends the email to firstname.lastname@example.org and cannot be changed by the user. The user can enter their name, email, a subject, and the message. The name and subject are converted into email headers and sent to email@example.com (from: the user submiited info). My question is that although the user cannot change the to: address, can they still input code into the name, email, and subject fields to inject additional to: addresses? If so, any suggestions on exsting code that could elimiate this threat? Thanks!