Ron's Brain

Will I have to know this for a test?

inciteful, thanks ron

Yes, there will be a test. You have sixty minutes. Start.

And thanks, duo.

(insightful)

I know I got all incited just reading it!

...and, I think this points out that mail() is a rubber stamp function that needs to be smarter. Think of all the bad contact forms that would be healed if they'd add even a basic parse for <CR>'s and other known exploits.

What you mean the user will enter something other than they are supposed too? O M G! I can't beleive that any user would do anything other than put in the told accepted values.
Now that the sarcasm is gone I really can't beleive that a standard code doesn't check for the correct type of input. Programing rule #1 Users are stupid and don't put in what you want them to. This rule is of course followed by rule #2 If you havent saved and there is any value in your code there will be a system failure.

Side note I am really glad that I am going into stand alone programs none of this client and server crap. If you are really interedted in what I want to do I shall explain for you. Basically I want to write software for theoretical physics and/or advanced mathmatics, like Mathmatica.

Don't think you're immune to input validation. Physics and mathematics are domains for which solutions are hard, known, and verifiable, so any input assumptions will show flaws right away. Modulus of a non integer? Factorial of a negative number? Inverse of a singular matrix?

It's all just a matter of understanding the problem set and knowing how all the gears work.

Also, FABombjoy, in the manual page for PHP's mail() you'll see that the fourth parameter ($additional_headers) is expecting that "Multiple extra headers should be separated with a CRLF (\r\n)". It's designed to be exploitable, in my opinion. A better option for this would be to have the fourth parameter be a set of key-value pairs that identify additional parameters, rejecting any key or value that contains a carriage return.

And, that last parameter of $additional_parameters really gives me the heebie jeebies.

Yeah, I like the key->value idea. If you have to pass an SMTP friendly string to the function anyway, it should be called smtp_mail(). Something something fully abstracted function something something.

Hmm, I concur.

Sorry, that last part got fuzzy. What I really wanted to say was a combination of "the spirit of open source" and "eventual SMTP replacement (yah right)" and "thousands of man-hours rewriting code" and stuff and junk like that.

I like PHP - I think it's like a beautiful city with tons of cool things to do, but every once in a while you turn a corner and there's a black hole that sucks the change out of your pocket.

You could always order the spam egg sausage and spam. That's not got much spam in it.