In above Form, Following issues come
[
Test Message
]
Now what happen, When we sent email through php mail function
- In Email Address someone can place [ "abc@gmail.com;testabc.@gmail.com"]
- In Description Textarea, visitor can put description like below
[
Test Message
CC: yet-another-email-addresses@example.com, etc-etc@example.com
]
Now what happen, When we sent email through php mail function
- Two email address will be stored in database ie [CC: another-email-address@example.com, yet-another-email-addresses@example.com, etc-etc@example.com]
- Email also goes to y[et-another-email-addresses@example.com, etc-etc@example.com]
- There may be some serious issue also.
Such type of issues is known as Email Injection, where visitor tries to put data which developer not expect.
Do following to avoid the Email Injection.
- Validate the email address
- sanitize the description field
- Never trust on user input
No comments:
Post a Comment