About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


Ask Chris Is Back

It's been a few months since Episode One, but thanks to Marcus, Ask Chris is back on the air. The format is a bit different - instead of doing separate shows, we'll be doing a short segment at the end of each interview.

This interview is with David Sklar of Ning. He and Marcus discuss Ning, of course, but David also provides some good perspective on the state of technology and how the definition of a programmer is becoming more and more inclusive.

This episode of Ask Chris is about email injection, a topic of growing concern for PHP developers. We recorded this immediately after I had returned from a trip, so hopefully I don't sound too weary. If you have any questions you'd like to have answered or topics you want me to discuss with Marcus, please leave a comment here or contact him directly.

Thanks for listening!

About this post

Ask Chris Is Back was posted on Sun, 26 Feb 2006. If you liked it, follow me on Twitter or share:

5 comments

1.Dean Wood said:

You didn't specifically mention it in the broadcast but isn't the Subject parameter of mail() a target for header injection as well as the fourth parameter?

Mon, 27 Feb 2006 at 08:08:21 GMT Link


2.Chris Shiflett said:

Hi Dean,

No, that shouldn't be possible. The first two arguments to mail() correspond directly to the To and Subject headers, respectively. To my knowledge, there is no way to inject any additional headers using these arguments - all you can do is modify the headers. The To header is only problematic because an attacker can pass a list of addresses.

If you try it yourself, you should find that even with carriage returns and newlines, the only thing you can modify with the second argument is the Subject header - nothing else.

That being said, I personally don't rely on this and check everything I receive from an outside source.

Mon, 27 Feb 2006 at 14:19:04 GMT Link


3.Luke Welling said:

I have an Ask Chris topic. Is shared hosting security an oxymoron?

Tue, 28 Feb 2006 at 01:25:40 GMT Link


4.James Benson said:

Very Interesting, when is your next show?

Thu, 29 Jun 2006 at 23:18:51 GMT Link


5.Erich said:

Hi Chris,

your comment is 2 years ago (27 Feb 2006) and in the meantime it seems possible to inject headers through the "subject"-parameter by using a bug in PHP.

see:

http://www.php-security.org/MOPB/MOPB-34-2007.html

Wed, 19 Mar 2008 at 15:31:11 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.