阻止sendmail注入 [英] preventing sendmail injection
问题描述
在这里看:
http://www.devarticles.com/c/a/PHP/G...il-Function/2/
it说我必须要小心我发送到sendmail程序的内容
通过popen()。这也适用于主题:行吗?
(我打开一个进程而不是简单地使用mail(),这样我就可以设置
带有sendmail'的-f开关的返回路径标题并捕获跳出。)
我的From:和To:是硬编码的,*不是*从任何webform文本字段中删除。 />
我正在使用:
$ i = preg_match_all(''/ [a-zA-Z0-9 _] /'',$ subject,$ arr ); $
on $ subject以防万一。这是排除任何危险的
字符的正确方法吗? (IOW,我正在使用白名单方法。)
我是否需要关注主题行?
i = preg_match_all(''/ [a-zA-Z0-9 _] /'',
subject,
< blockquote> arr);
looking here:
http://www.devarticles.com/c/a/PHP/G...il-Function/2/
it says that I have to be careful about what I send to the sendmail process
via popen(). Does that also apply to the Subject: line?
(I''m opening a process rather than simply using mail() so that I can set the
return-path header with sendmail''s -f switch and catch bounces.)
My From: and To: are hardcoded and *not* taken from any webform textfields.
I''m using:
$i = preg_match_all(''/[a-zA-Z0-9_]/'', $subject, $arr);
on the $subject just in case. Is that the correct way to exclude any dangerous
characters? (IOW, I''m using a whitelist approach.)
Do I need to be concerned about the Subject line regardless?
i = preg_match_all(''/[a-zA-Z0-9_]/'',
subject,
arr);
on the
这篇关于阻止sendmail注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!