SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Thread: Emai injection.

  1. #1
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Emai injection.

    Hi guys:
    I just wanna to know that which php security function i use for preventing email injection.
    For example i have a contact us form there a user enter his name, email and message and then submit it.
    After submitting it comes to my email, So how can i prevent my script from injection, specially email injections.

    Thanks.

  2. #2
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Don't use any of the user inputed values in the header. For example don't put the from name or from email address in the headers to make it appear the the mail came directly from the user.

    You may also want to check out as_mail -- http://shaunwagner.com/projects/php/as_mail.html

  3. #3
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,104
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    emails get injected when someone fills out their email address and hits return which puts in an invisible \n then on the new line they will do something like cc: victim@domain.com

    The bigest threat here is the \n in the headers or the part of the email before the message

    you will be safe if you do a string replace notice the double quotes and the single quotes ("\n", '', $fromemail)

    There is also (if i remember corectly) x0a which is a unix end of line and should be delt with.

    Set your subject within the mailing script and you should be good to go

    cheers
    Loren

  4. #4
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok thanks for reply guys:
    Now i have this script how can i make it more secure any ideas...

    PHP Code:
    $name=stripslashes($_POST['name']);
    $email=stripslashes($_POST['email']);
    $msg=stripslashes($_POST['msg']);
    $to='something@yahoo.com';

    if(isset(
    $_POST['submit']))
    {
    if (
    $name=='' || $email=='' || $msg=='')

    {
    error ('Please fillout all fields.');} else{
    if (!
    eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"$email)){
          
    error("The email address is Invalid.");
        }
    if ( !
    preg_match('/^[a-zA-Z\" "]*$/'$name) )
           {
            
    error('The Name that you have given is not valid.\\n'.
                    
    'Please try again.');
    }        
    $headers "From: <$email>\r\n".

    //'X-Mailer: PHP/' . phpversion() ."\r\n".

    //'MIME-Version: 1.0' . "\r\n" .
    'Content-type: text/html; charset=iso-8859-1' "\r\n";
    $message "
    Name: <b>
    $name</b>
    <br>
    Email: <b>
    $email</b>
    <br>
    Message: 
    $msg

    "
    ;
    $mail=mail($to,"Hi",$message,$headers);
    if (
    $mail){header ('Location:message.php'); }
    else{
    error ('error: sending the message.');}
    }



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •