[RESOLVED] is there header injection protection in phpmailer ?

steamPunk

I've been looking at the phpmailer class at

http://phpmailer.sourceforge.net/

and it looks very good but i can't tell if it has protection against people using header injection into the address field - until now i've been using

return preg_match("/(%0A|%0D|\n+|\r+)/i", $text) == 0;

to check the strings

i had a look at the documentation but didn't find anything about header injection

does anyone have any info about this ?

thanks

bpat1434

    /**
     * Adds a "To" address.  

     * @param string $address
     * @param string $name
     * @return void
     */
    function AddAddress($address, $name = "") {
        $cur = count($this->to);
        $this->to[$cur][0] = trim($address);
        $this->to[$cur][1] = $name;
    }

I'm going to say it doesn't prevent it; however, because of the trimming, it does make it harder. I don't use PHPMailer, rather I use SwiftMailer

NogDog

I believe the EncodeHeader method is used for this for the subject and any headers.

steamPunk

Thank you for both of those answers

I'll have a look at Swiftmailer too as I'm looking for an efficient batch mailer class for a mailing list of maybe 1000 addresses

cheers