[Mimedefang] OT: Don't let this happen to you
David F. Skoll
dfs at roaringpenguin.com
Wed Feb 15 11:19:14 EST 2006
PHP's mail() function is completely broken. It is insecure, and it is
*impossible* to make it secure unless you aggressively sanitize all your
input.
PHP is a truly horrible language (hey, I use it every day, so I should
know...) and mail() stands out as one of the worst things about it.
I wrote a C program called "sendmail-wrapper.c" that makes it possible
to send mail safely from PHP. It is invoked with no arguments, and reads
lines on stdin specifying envelope sender and recipient(s). It then executes
Sendmail directly (using execve) so no shell is involved.
Regards,
David.
More information about the MIMEDefang
mailing list