I have a comments form on my site and i wanted to check that nothing bad could be inserted, is this good enough?:
Code: Select all
<?php
$invalidChars=array("/","\\","\"",";");
// Email to send to
$email = "my@email.com";
// The subject
$subject2=$_POST['name'];
$subject=str_replace($invalidChars,"",$subject2);
// The message
$comment2=$_POST['comment'];
$comment=str_replace($invalidChars,"",$comment2);
// Email from
$emailfrom2= "me@email.com";
$emailfrom=str_replace($invalidChars,"",$emailfrom2);
if ( $emailfrom2 == $emailfrom ) {
if ( $subject2 == $subject ) {
mail($email, $subject, $comment, "From: $emailfrom");
echo "Sending your comment,";
?>
<meta http-equiv="REFRESH" content="0; URL=thankyou.php">
<?
} else {
echo 'Your details were invalid, please go back and try again.';
}
} else {
echo 'Your details were invalid, please go back and try again.';
}
?>Also, can anyone explain how "code injection" works? I think i understand, but would like a professional opinion.
Thanks,
Ben