It's become clear that to have a emai form is still a vunerablitiy and I'd like to know if anyone has come up with a good way to filter or check for injected headers in form emails?

    I don't see where the PEAR mail really offers anything. I have pretty good mailer code working. I too thought to strip the input but I don't know what to look for.

    I had hoped that someone would have come up with a good strip function.

      Ok looks like I'm already good. It seems the inject works when the message is sent raw and if the first lines are proper headers the mailer sees them as headers. But I don't send my message raw, firstly I add some text to it and then to get the line breaks to show I use
      $comments=str_replace("\r","\n",$comments); and since a header MUST have \r\n at the end of each they should fail after that function is used.

        Since this bot tries to inject headers into every field you have, best to check all.

        Using your method...

        $email=str_replace("\r","\n",$email);
        $name=str_replace("\r","\n",$name);
        $comments=str_replace("\r","\n",$comments);
        $phone=str_replace("\r","\n",$phone);

        etc...

          Write a Reply...