I am wondering if there is any potential security risk from the following code. I use this on my blog whenever a user submits a comment, it will send me a text message:\[code\]mail('[email protected]', '', "Comment posted by $name: $comment", "From: [email protected]");\[/code\]Where \[code\]$name\[/code\] and \[code\]$comment\[/code\] are user-entered values that haven't really been sanitized in any way. Is there any possibility that a user could do anything malicious here? The mail() documentation doesn't say anything about this, but it just feels wrong to stick user-entered values directly into a string. Is there any real risk or am I just being paranoid?
Is there any risk of injection in PHP's mail() function?
- Thread starter Dan-uk
- Start date