[Mimedefang] OT: Don't let this happen to you
Kris Deugau
kdeugau at vianet.ca
Wed Feb 15 11:49:43 EST 2006
David F. Skoll wrote:
> PHP's mail() function is completely broken. It is insecure, and it is
> *impossible* to make it secure unless you aggressively sanitize all your
> input.
>
> PHP is a truly horrible language (hey, I use it every day, so I should
> know...) and mail() stands out as one of the worst things about it.
All I remember about it is it's one of the functions I disabled on the
hosting server I set up. <g> For those few customers that really
wanted to use a PHP function to send mail, I provided a utility library
with a much more restrictive email function (among other things, it
stuck in a number of headers to make itself *very* easily identified),
along with a few other functions for common SSI operations usually
handled by Apache or standalone CGI scripts.
For most other customers, I provided a form-mail script that used the
utility library's email sender. To the best of my knowledge, neither
has ever (in ~5 years since I wrote it) been abused for spamming.
-kgd
More information about the MIMEDefang
mailing list