You wrote:
> > This always works for me...
> >
> > eval ("\$message = \"$message\";");
>
> RED ALERT! SECURITY TO THE BRIDGE!
>
> "Captain, there's Klingons off the starboard bow!"
>
> Oh, sorry. Did I type that aloud? Sorry.
>
> If $message is a free-form email typed in by a potentially malicious
user
> this looks pretty dangerous to me...
>
> Have you tried it with things like:
>
> $message = '";exec("/usr/bin/cat /etc/passwd");';
>
> Do *NOT* try this one, but if the above works, think what *THIS* would
do!
> $message = '";exec("/usr/bin/rm -rf /");';
The e-mail script is for administration, so it's password protected. Do
you still see a problem? Do you have any better ideas?
--
-Ryan :: ICQ - 595003 :: GigaBoard - http://www.gigaboard.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
