Hi, all -- I'd like some sanity checks on safely using input for sending mail. I'm developing a feature where one can click a 'mail this page' link, fill in the sender's and the recipient[s]'s addresses, and add comments in the body (eg "Hey, Bill, what do you think of this chair?") and then generate the email. I want to watch out for gotchas.
At the moment, I am running escapeshellcmd() on the From:, To:, Subject:, url, and body fields, and limiting the recipient field to 255 chars (enough for about half a dozen addresses, I figure) to prevent being used for massmailing (though I haven't yet figured out how to keep from being called repeatedly, but at least that's just as hard for the spammer as his own bandwidth limits). Unfortunately, escapeshellcmd() also escapes the ? and &s in the URL and breaks it; I think it will have to go away. I'm also ready to believe that I've overlooked half a dozen other things. How would you guys tackle this? TIA & HAND :-D -- David T-G [EMAIL PROTECTED] http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
pgp952nCnHrGX.pgp
Description: PGP signature
