I'm new to stackoverflow and couldn't find an answer to my question which is; How do I secure my mail() code in php to prevent people from adding bcc which would ultimatly result in mass mailing? My website uses the PHP mail() service to email me when a new comment has been entered in my site. What is the best way to prevent people tampering with it, such as removing the bcc? What I have so far is:
function mres($input){
if (get_magic_quotes_gpc()){
$input = stripslashes($input);
}
return mysql_real_escape_string($input);
}
$name = strip_tags(mres($_POST['name']));
$comment = strip_tags(mres($_POST['comment']));
$to = 'myself@gmail.com';
$subject = 'Website - comment';
$body = 'A new comment has been entered on the website.'."
"."$name".' said: '."
"."$comment";
mail($to,$subject,$body);
Assuming that this code is followed by:
mail($to, $subject, $body);
Then it's safe, if overkill -- the only arguments to mail() which are vulnerable to injection are the ones that control header fields ($to, $subject, and $additional_headers). strip_tags and mysql_real_escape_string are both unnecessary, and the latter will make apostrophes show up as \' in your email.
If there's no following call to mail(), then it's trivially safe, because it doesn't do anything. :)
I would look at something like http://mailgun.com/
As it is, your mail will often end up in people's spam if you just use mail()