SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    Git-R-Done
    Join Date
    Nov 2001
    Posts
    1,194
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Simple and secure function for email injection attacks

    Does anyone know of a simple and secure function that I can run for each form field that uses the $_POST method to ensure that the information being submitted is not a spammer trying to send out emails to people?

    I've searched and searched Google and haven't really been able to find anything that was easy to use and not all bloated.
    John Saunders

  2. #2
    SitePoint Guru MikeBigg's Avatar
    Join Date
    Jun 2004
    Location
    Reading, UK
    Posts
    970
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The ones I have seen have seemed ok. This is one I use on one of my sites that was being abused to send emails:

    PHP Code:
    function doNLInjectionTest() 
    {
        global 
    $msgFrom$msgSubject;
        
        
    // Combine the strings to make testing easier
        
    $allStrings $msgFrom $msgSubject ;
        
        
    // if any of the fields contain a /n or /r then return TRUE
      
    $pos strpos($allStrings'\r' );
      if (!(
    $pos === false)) {
        return 
    TRUE ;
      }
        
      
    $pos strpos($allStrings'\n' );
      if (!(
    $pos === false)) {
        return 
    TRUE ;
      }
        
        
    // a test character
      
    $pos strpos($allStrings'' );
      if (!(
    $pos === false)) {
        return 
    TRUE ;
      }
        
      return 
    FALSE ;     

    All the header fields (eg from email address and subject that become part of the email headers) are grabbed from $_post and trim() ed. Trim() will remove CR/LF at the end of the string. I set them as global so this function can see them.

    I join them together so I only have to test once, then test for the presence of a carriage return or newline in that string. If present something is wrong so return an error.

    I have included a test character to make testing easy in the actual form ( is alt-241).

    This stopped the abuse, dead.

    Mike


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •