NYCPHP Meetup

NYPHP.org

[nycphp-talk] worm/virus's hammering feedback scripts?POLISHEDVERSION

Dan Cech dcech at phpwerx.net
Tue Sep 27 08:13:01 EDT 2005 

I'd advise checking out phpmailer (http://phpmailer.sourceforge.net/). I 
haven't had a chance to look into it from a security perspective, but it 
does support almost every feature you could desire for sending email.

If there are security issues then I would suggest working on securing 
this existing and very mature product rather than rolling your own. 
Also, it is released under the LGPL so using it in commercial 
applications should not be a problem.

Dan

Mikko Rantalainen wrote:
> Hans Zaunere wrote:
> 
>>matthijs abeelen scribbled on Thursday, September 15, 2005 2:04 AM:
>>
>>
>>>This problem is spreading very fast, a good summery of the best
>>>solution(s) is needed indeed. Unfortunately, I'm not the one who can
>>>do that. Waiting eagerly for the article on Phundamentals!  
>>
>>We're working on it.
>>
>>And I've attached what a first stab at a PHP 5 class would look like, with
>>example usage here:
>>
>>$MyMail = new MailProtect;
>>$MyMail->SetFrom($_POST['From']);
>>$MyMail->SetTo($_POST['To']);
>>$MyMail->SetCc('admin at somwhere.com');
>>$MyMail->SetSubject($_POST['Subject']);
>>$MyMail->SetBody('Thank you for your submission!');
>>
>>if( $MyMail->SendMail() === TRUE )
>>    echo 'Mail Sent';
>>else
>>    echo 'WARNING: Header validation failed; possible exploitation attempt';
> 
> 
> How about
> 
> $MyMail->addTo(...);
> $MyMail->addCc(...);
> $MyMail->addBcc(...);
> 
> instead of setXXX() variants? From, Subject and Body always have 
> exactly one value but To, Cc and Bcc fields can contain multiple 
> items. If the protecting wrapper class forces one to add a single 
> recipient at a time misuse of these fields is a bit harder by mistake.
> 
> Also, I'd prefer those methods to accept two parameters instead of 
> just one. For example,
> 
> function addTo($email,$display_name="") {...}
> 
> So that user of this class never needs to encode any special 
> characters or merge display name and email in the same string.
> 
> I'd add $MyMail->addHeader($name,$value) for adding a single 
> additional header too.
>

More information about the talk mailing list