Learn how simply using the email address entered in an online form as the return address leaves sites open to one of the most commonly exploited attacks. This video covers a golden oldie that deserves retelling time and time again.
- [Instructor] Hi, I'm David Powers…and welcome to this week's edition of PHP tips,…tricks and techniques…designed to help you become a smarter,…more productive PHP developer.…Email header injection is one of the oldest…malicious exploits of online forms.…Unfortunately, it's also a trap that inexperienced…PHP developers frequently fall into.…This scrip, which you can download in the exercise files…for this video, is typical of the poorly written code…that I've come across time and time again.…
It begins by assigning values…submitted through the post array to simple variables.…Then it builds the body of an email message…and then uses the mail function to send the message.…The problem lies in here.…In the fourth argument and the way that it's being used.…This argument allows you to set additional headers…to be added to the email.…Now there are several things that are wrong with this,…but the most important is that email,…that's unfiltered input that's come from the online form…and it's being inserted directly into the email headers.…
Note: The exercise files are free to all members. The code is commented to enhance your learning, but you will need database connectivity for some files to run as intended.
Skill Level Intermediate
PHP: Managing Persistent Sessionswith David Powers2h 41m Intermediate
New this Week:
1. Weekly Episodes
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.