PHP E-mail security help

siamanti · January 21, 2010, 6:21pm

Hello all and thank you for your previous help. I finally managed to get my mail function working. Is there anyway to make this code safer against spam injections etc. I have tried adding lines but can’t get it to work properly. Can anyone give me some clues as to what lines and where I need to add. Thank you so much and I hope this is the right forum to post. I am such a beginner using PHP.


<?php 
$to = "mydomain@strato.com"; 
$subject = "Websiten Anfrage"; 
$email = $_REQUEST['email'] ;
$headers = "From: $email"; 
$message = $_REQUEST['text_message'] ; 
$sent = mail($to, $subject, $headers, $message) ; 
if($sent) 
{print "Your mail was sent successfully"; }
else 
{print "We encountered an error sending your mail"; }

$message = " $todayis [EST] \

Attention: $attn \

Message: $notes \
 
From: $visitor ($visitormail)\

Additional Info : IP = $ip \

Browser Info: $httpagent \

Referral : $httpref \

";
?>

j3ph · January 21, 2010, 6:58pm

This article is quite old, but it has some basic security features and decent explanation of what’s going on. Check it out:
http://www.phpbuilder.com/columns/ian_gilfillan20060412.php3

AutisticCuckoo · January 22, 2010, 9:49am

There’s a huge security hole in your code, since you’re trusting the ‘email’ parameter and putting it into a header.

I could write a small script to call your contact page and submit that parameter as,

"foo@bar.com<CR><LF>Bcc: <a thousand spam addresses>"

You should at least verify that there are no <CR> (“\d”) or <NL> (“\r”) characters in that string before using it.

siamanti · January 23, 2010, 11:51am

Do you mean I should add this line to my send.php file and position it where?

Thanks

Siamanti

siamanti · January 23, 2010, 2:05pm

I am beginning to understand what you mean. Thanks again!

AutisticCuckoo · January 24, 2010, 3:02pm

Yes, you should include that check somewhere before you call the [fphp=mail]mail()[/fphp] function, and refuse to send the message if the ‘email’ parameter contains line breaks or other suspicious characters.

Be careful if you use a regular expression to validate the ‘email’ parameter, since regular expressions by default stop matching at a CR or LF character. You will then need to supply a ‘multi-line’ flag to make it perform the match on the whole string.

siamanti · January 24, 2010, 3:46pm

Thanks again. I am not sure about regular expressions. The code above is pretty much the code I have used with the addition of some function commands. So you mean I should add it before the $mail command somewhere?

Siamanti

AutisticCuckoo · January 25, 2010, 7:50am

Yeah,

<?php 
$to = "mydomain@strato.com"; 
$subject = "Websiten Anfrage"; 
$email = $_REQUEST['email'] ;
$headers = "From: $email"; 
$message = $_REQUEST['text_message'] ; 

/* Sanity check for the email parameter */
if (strpos($email, "\\r") !== false) {
    die('Spammer!');
}

$sent = mail($to, $subject, $headers, $message) ; 
if($sent) 
{print "Your mail was sent successfully"; }
else 
{print "We encountered an error sending your mail"; }
 
$message = " $todayis [EST] \

Attention: $attn \

Message: $notes \
 
From: $visitor ($visitormail)\

Additional Info : IP = $ip \

Browser Info: $httpagent \

Referral : $httpref \

";
?>

siamanti · January 25, 2010, 5:49pm

Once again, thank you very much for your help!

Siamanti