Really? Security features disabled?

<p>I've been working on improving the security of all the mailer classes.</p><p>I originally wanted a technique to modify email addresses to remove any potential exploits. More accurately, those email addresses that pose the greatest potential for exploits. That means when they are used in an email header block.</p><p>PHP has two functions that are ideal for this purpose. <b>escapeshellarg()</b>&nbsp;and <b>escapeshellcmd()</b>&nbsp;are useful for this type of purpose. Both are nearly identical: one applies for an individual parameter passed to a command, the other applies to the entire parameter string.</p><p>I've previously used these successfully -- but in recent tests to verify enhanced security in my most recent mailer class versions, I found that the hosting provider for the test environment is blocking both of these PHP functions. In my research, I found this is quite common. I can't find a reason for this, why would providers block access to functions that help with security?&nbsp;</p><p>I still don't know the answer, but I do know that I cannot rely on the availability of these two functions. There is absolutely no way I can control the environment of users of my email classes. The way another email class deals with this is to exit without sending when either (or both) of these functions are not available. That's not a proper way of dealing with security.</p><p>What we need to do is find a way of either detecting an exploit, or altering the input to render the input "shell safe".&nbsp;</p><p>I'm not up to writing a "shell safe" script to modify input. I also don't want to exit when the PHP functions to modify input are not available. So, I came up with an alternative. I don't use the PHP functions at all ... I have found a way to detect exploits in email addresses that is about 99.9% accurate. That means there is a 0.1% of valid email addresses that will fail the detection process.&nbsp;</p><p>That's an acceptable ratio to me. I do regret that some valid emails won't process properly, but the email class will continue to run and deliver emails to the other 99.9%.</p><p>It's in the next release of PHPMailer Pro, PHPMailer Lite and PHPMailer Mini.</p>