Posted: Sun Jan 15, 2006 10:34 am
Glancing through this article, it looks like the encoded values are used as an example of injecting GET data. The actual data is not encoded.matthijs wrote:The examples are from http://securephp.damonkohler.com/index. ... _Injection.
In other words, someone might visit your site with a URL similar to the following:
Code: Select all
http://host/email.php?headers=From:+sender@example.org%0ABCC:+victim@example.orgI meant to point out that it doesn't work in order to help clarify the issue. Sorry if I just made things worse. :-)matthijs wrote:My guess is that it has something to do with the php settings on my server, because your example doesn't either produce the results I expect.
The following should be a working example:
Code: Select all
<?php
mail('anyone@example.org',
'My Evil Test',
'My Evil Message',
"From: sender@example.org\nBCC: you@example.org");
?>