Sharing technology, ideas, insights!
Call: +91 710 466 0336         Email: hello@sanisoft.com

Blog

Email component in CakePHP is now Header Injection safe

CakePHP does a lot of things automagically among this is sanitizing the SQL against SQL injection attacks.

In Cheesecake 1.x we had used our home grown component for sending emails. Having learned our lessons from the headaches of Pixelpost team due to email header injection attacks in their comment mailing code we had taken precautions to make our code safe from such attacks.

When we moved Cheesecake development to use CakePHP 1.2 we naturally wanted to use the Email component which comes bundled – however – a quick look at the code showed that the component could do with some automagic, to be more specific the component should make the params passed to it header injection safe on its own. Since it is a patently bad idea to mess with the framework code I filed an enhancement ticket which phpNut promptly incorporated in this changeset.

Hurrray! now app developers need not worry about email injection attacks or for that matter take any extra measures, just like the automagic which prevents SQL injection attacks

Thanks phpNut

About the Author

Amit Badkas is Zend certified PHP5 and Zend Framework engineer, and has been working in SANIsoft for past 10 years, his present designation is 'Technical Manager'

3 comments

  1. Pingback: PHPDeveloper.org

  2. Pingback: developercast.com » Sanisoft Blog: Email component in CakePHP is now Header Injection safe

Leave a Reply