Regardless if mail() takes precautions you should also check input prior to trusting it.
Note: If mail does or doesn't if it changes in the future you are covered if you always check. I would suggest a simple addslashes and the (shell/sendmail) will be fine OR better still do an array with a callback either removal or addslashes equiv. Timothy Hitchens (HiTCHO) [EMAIL PROTECTED] If you need PHP hosting with an experienced support team 24/7 then email me today. On Sat, 28 Dec 2002, Beth Gore wrote: > Hi, > > If I'm taking an URL as user input from in a form, and then emailing > that URL back to them as part of a larger message, how do I ensure that > no-one sends anything strange to run shell commands through sendmail? > > Could anyone confirm that mail() or even sendmail does take precautions > against shell commands being executed in the message body of the email? > > If not, is there an easy way to remove everything except > ":","/",".","a-Z","0-9"? I've written very complicated things in the > past and I'm sure there must be an easier way!!! > > I've already made sure it's not possible to abuse sendmail with the > user's email address, but I'm still nervous. > > Thanks! > > -- > Beth Gore > http://www.habitformer.co.uk > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
