The Underscore Archives

Hi Chris,

> I am using an html form that POSTs to a .php page with the following
>  code:
>
>         <?php
>
>         $body = "The subject line\n\n";
>
>         foreach ($_POST as $field => $value) {
>                 $body .= sprintf ("%s = %s\n", $field, $value);
>         }
>
>         mail("email at address.co.uk", "Subject", $body, 'From: "The website"
>  <email at address.co.uk>');
>         header( 'Location: http://www.thewebsite.co.uk/the_html_form.htm' ) ;
>
>         ?>
>
>  The question is, how secure is this method? I have not written the
>  php code above, its a legacy thing, but I have worked with php forms
>  in the past that have had far more code to them.

doesn't look particularly safe to me, as you're not validating that
each variable in the _POST array is safe and is what you were
expecting etc, a sure-fire way to get bot submissions i reckon.

jb


-- 

jon bennett
w: http://www.jben.net/
iChat (AIM): jbendotnet Skype: jon-bennett