I am wondering if there is any potential security risk from the following code. I use this on my blog whenever a user submits a comment, it will send me a text message:
mail('cellnumber@messaging.sprintpcs.com', '',
"Comment posted by $name: $comment",
"From: comments@example.com");
Where $name and $comment are user-entered values that haven’t really been sanitized in any way. Is there any possibility that a user could do anything malicious here? The mail() documentation doesn’t say anything about this, but it just feels wrong to stick user-entered values directly into a string. Is there any real risk or am I just being paranoid?
As long as all user-stuff i’s kept in the mail body, then there is no risk of injection.
However, as soon as a user can affect mail headers, then they can inject extra headers and do things like use it to spam arbitrary e-mail addresses or include a completely different message – including attachments.
If you check for newlines in the parts that affect the headers, and reject if it appears, then that should be enough. The SMTP standard uses CRLF to separate the header lines, but AFAIK, many Unix-based servers want you to only use LF (because that’s the native line separator on those systems). The mail relayer then converts it when sending it further upstream.