Comments on: Is Your PHP Web-form Hacker Proof?

By: Rash

Rash — Sun, 15 Jul 2007 23:12:59 +0000

yes it is.

By: thompson

thompson — Wed, 11 Jul 2007 16:03:13 +0000

please i wanna learn how to hack credit cards i am thompson from usa new york 27 can u teach me or even send me some credi cards

By: Information Security

Information Security — Fri, 06 Jul 2007 02:00:08 +0000

Great article, it is good to see people learn from their mistakes and try an help others avoid problems. Keep up the good work.

By: Michi

Michi — Wed, 30 May 2007 17:38:29 +0000

I am fairly certain my solution is correct. I am not looking for the text string “backslash n” and “backslash r”, rather, I am looking for the converted equivalents. So if someone passed in those hex values, they would get converted into carriage returns and new lines before I look at them. In fact, never should I see the string text “0x0A” since at that point, it’s already converted into the \r or \n.

By: Mihai Roman

Mihai Roman — Wed, 30 May 2007 14:17:15 +0000

Hello,

I think this is not enough:
“$fromAddress = str_replace(array(“\r”, “\n”), “”, $formAddress);”

Instead of “\n” or “\n” someone might try to use the hexadecimal equivalent for those characters.
“\n” = 0x0A
“\r” = 0x0D
Still this isn’t enough, but for further reading I would also recommend the link you already provided.

By: ./blog » PHP mail() function security

./blog » PHP mail() function security — Mon, 21 May 2007 08:27:14 +0000

[...] Hmm, just a few days back i read this: http://www.michiknows.com/2007/05/14/is-your-php-web-form-hacker-proof/ [...]

By: Ambush Commander

Ambush Commander — Tue, 15 May 2007 20:44:24 +0000

The usual solution to mail() woes is to use a mailing library such as PHPMailer or, my personal favorite, SwiftMailer.