security

Why not to use remove link

This is my experience: I have to rewrite administration page where
there is remove button (in a form) with only javascript confirm.

I thought: "no one had problem with no limitation in the past, why they
should now? I'll use a link with javascript confirm.

It happened I have a dashboard page where is listed the last entries
and links for update and delete its. It happened that few day later 20
entries was deleted and I was looking for what caused the problem for
one day.

Email from your host you are banned (mail php security matter)

I found this in a server:

$header = "From: <".$_REQUEST['email'].">\n";
#... 
mail($from,$subjet,$message,$header);

$_REQUEST['email'] came from a form input ...

Here $_REQUEST['email'] should be, at least, stripped by all \n no matter on how you trust to js code..

$from = $_REQUEST['email'];
$from = str_replace("\n","",$from);
$header = "From: <$from>\n";