Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
11-12-2006, 11:49 PM #1
Do you see any Security problems with my logic or with using php E-Mail functions
I've set up a page to allow folks to reset their Passwords and/or send them-selfs their User-id.
1. Form is displayed.
2. Must Enter E-Mail address.
3. Must select Security Question (1 of 6).
4. Must enter Security answer.
5. check E-Mail address to see if it is valid address in the user table.
(if not display error msg)
6. If valid E-Mail, check Security Question & Answer in user table.
- if Question and Answer correct, reset pw and use php mail fuction to e-mail new pw to E-Mail address.
- If invalid Question or Answer use php mail fuction to e-mail fact to E-Mail address.
I will be passing the E-Mail address to php mail, but I figure since this was checked against the table that some one shouldn't be able to hide a cc address in the field.
Any thing else I should worry about?
11-13-2006, 02:38 AM #2
- Join Date
- Jun 2002
- Winona, MN - The land of 10,000 lakes
- Thanked 45 Times in 42 Posts
I think that so long as you properly filter all of your form input, you should be ok. Spammers will usually try to inject some type of header information into a form field to try to trick the mail function into sending out spam. Check the input for things like "Content-type" and "\r\n", and other common email header information. If it's in any of the fields, spit back a "Spammer attempt logged" error message and kill (die()) the script.