Even when doing everything correctly, it’s still possible to build PHP applications that are insecure. Security requires constant vigilance. One thing you always have to keep your eye on is any script or form that sends an email based on use input.

Many applications written in PHP use the built-in mail() function to respond to user input by triggering an email.

Do not blindly send mail using information entered into a form.

As we’ve discussed in other tips on PHP security, you have to make sure you properly filter and validate your user input. If you do not properly filter your input, it becomes easy for someone to perform an email header injection and spam thousands of people before you’ll even notice.

For further reading on email header injection, I recomend this page at securephpwiki.com.

=C=