Bernd Eckenfels wrote: | > Much better, look at rfc822. (I wouldn't consider *anything* that | > has the word "sendmail" in it a good reference). | | its much better if you dont rely on the content of the string at all. Dont | use sh -c or system and you will be save. Simply asume that all characters | are valid in user suplied strings and treat them exactly that way... If they | need to be exporeted then unfortunately they need to be 'untainted' and this | should be done by positive not negative lists as mentioned in the | guidelines. Not passing untainted data to system is clearly a very good idea. Less clear is how much other parsing should be done. I like extreme parsing (when its cheap; as Marcus Watts pointed out, verifying remote hostnames & usernames can be expensive). If you don't strongly verify data on the way in, it can get to other places not so careful about its contents. This is why I chose to recommend against accepting a wide variety of legit email address formats; because they will be passed back to a database that assumes that the addresses have been sanitized, and are in user@foo.net format, and not treat them with the care they deserve. In an ideal world, programmers would be careful with the data they get, but we don't live in an ideal world. I choose to suggest paranoia over inclusiveness, but am adding an appendix discussing issues of mail addressing. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume