[Mimedefang] OT: Don't let this happen to you

Kris Deugau kdeugau at vianet.ca
Wed Feb 15 11:49:43 EST 2006

David F. Skoll wrote:
> PHP's mail() function is completely broken.  It is insecure, and it is
> *impossible* to make it secure unless you aggressively sanitize all your
> input.
> PHP is a truly horrible language (hey, I use it every day, so I should
> know...) and mail() stands out as one of the worst things about it.

All I remember about it is it's one of the functions I disabled on the 
hosting server I set up.  <g>  For those few customers that really 
wanted to use a PHP function to send mail, I provided a utility library 
with a much more restrictive email function (among other things, it 
stuck in a number of headers to make itself *very* easily identified), 
along with a few other functions for common SSI operations usually 
handled by Apache or standalone CGI scripts.

For most other customers, I provided a form-mail script that used the 
utility library's email sender.  To the best of my knowledge, neither 
has ever (in ~5 years since I wrote it) been abused for spamming.


More information about the MIMEDefang mailing list