Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder musher's Avatar
    Join Date
    Jan 2005
    Location
    Minnesota
    Posts
    203
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Do you see any Security problems with my logic or with using php E-Mail functions

    I've set up a page to allow folks to reset their Passwords and/or send them-selfs their User-id.
    1. Form is displayed.
    2. Must Enter E-Mail address.
    3. Must select Security Question (1 of 6).
    4. Must enter Security answer.
    5. check E-Mail address to see if it is valid address in the user table.
    (if not display error msg)

    6. If valid E-Mail, check Security Question & Answer in user table.
    - if Question and Answer correct, reset pw and use php mail fuction to e-mail new pw to E-Mail address.
    - If invalid Question or Answer use php mail fuction to e-mail fact to E-Mail address.

    I will be passing the E-Mail address to php mail, but I figure since this was checked against the table that some one shouldn't be able to hide a cc address in the field.

    Any thing else I should worry about?
    Thanks
    Jim M

    "Lord, help me to become the person my dog thinks I am" - Dawn Ewing
    "If you must know. Yes, I do enjoy running after the dog sled when I fall off" - Me

    www.huskyzone.com -- Woodland Siberians

  • #2
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    I think that so long as you properly filter all of your form input, you should be ok. Spammers will usually try to inject some type of header information into a form field to try to trick the mail function into sending out spam. Check the input for things like "Content-type" and "\r\n", and other common email header information. If it's in any of the fields, spit back a "Spammer attempt logged" error message and kill (die()) the script.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •