11-13-2006, 12:49 AM
I've set up a page to allow folks to reset their Passwords and/or send them-selfs their User-id.
1. Form is displayed.
2. Must Enter E-Mail address.
3. Must select Security Question (1 of 6).
4. Must enter Security answer.
5. check E-Mail address to see if it is valid address in the user table.
(if not display error msg)

6. If valid E-Mail, check Security Question & Answer in user table.
- if Question and Answer correct, reset pw and use php mail fuction to e-mail new pw to E-Mail address.
- If invalid Question or Answer use php mail fuction to e-mail fact to E-Mail address.

I will be passing the E-Mail address to php mail, but I figure since this was checked against the table that some one shouldn't be able to hide a cc address in the field.

Any thing else I should worry about?

11-13-2006, 03:38 AM
I think that so long as you properly filter all of your form input, you should be ok. Spammers will usually try to inject some type of header information into a form field to try to trick the mail function into sending out spam. Check the input for things like "Content-type" and "\r\n", and other common email header information. If it's in any of the fields, spit back a "Spammer attempt logged" error message and kill (die()) the script.