We have jailed PHP on a separate virtual machine to restrict fallout from any insecure customer scripts (we do try to vet them, but ...). One of our PHP-using customers wants to generate emails from his PHP form, much as standard CGI scripts can post form contents to email.
The PHP resources that we have don't specifically address security issues related to this, so we wondered if the collective wisdom of the forum could assist us in deciding if this is a good use of PHP.
Most mail scripts in PHP require global_variables to be turned on, which presents a security risk. There are a couple of workarounds for global_variables. Is this customer going to be sending attachments as well?