Re:Oracle and its security record (Score 1)

You said PHP's mail function is vulnerable even when hard-coding everything but the body. Email injections are possible because the attackers are able to modify the string being passed to the email header. This is NOT a PHP problem but rather an SMTP problem. Poorly written scripts is the problem. I don't speak hungarian. But the link you posted has this following code: mail("ideirj@szerver.hu", "Hibabjelentes", $message, "From \"$_POST[nick] It clearly allows posted data in the header. Not your claim that "everything hard-coded but the body" is still vulnerable. The header, recipient, and subject arguments are subject for injection because they all becomes part of an SMTP header, but the body is not! The other link you provided, is that a joke? Googling for it, a decent article I've got is this: http://securephp.damonkohler.com/index.php/Email_I njection