There is a weakness in the PHP e-mail script in the previous chapter...
PHP E-mail Injections
First, look at the PHP code from the previous chapter:
The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.Code:<html> <body> <?php if (isset($_REQUEST['email'])) //if "email" is filled out, send email { //send email $email = $_REQUEST['email'] ; $subject = $_REQUEST['subject'] ; $message = $_REQUEST['message'] ; mail("[email protected]", "Subject: $subject", $message, "From: $email" ); echo "Thank you for using our mail form"; } else //if "email" is not filled out, display the form { echo "<form method='post' action='mailform.php'> Email: <input name='email' type='text' /><br /> Subject: <input name='subject' type='text' /><br /> Message:<br /> <textarea name='message' rows='15' cols='40'> </textarea><br /> <input type='submit' /> </form>"; } ?> </body> </html>
What happens if the user adds the following text to the email input field in the form?
The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field.Code:[email protected]%0ACc:[email protected] %0ABcc:[email protected],[email protected], [email protected],[email protected] %0ABTo:[email protected]
When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
PHP Stopping E-mail Injections
The best way to stop e-mail injections is to validate the input.
The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
In the code above we use PHP filters to validate input:Code:<html> <body> <?php function spamcheck($field) { //filter_var() sanitizes the e-mail //address using FILTER_SANITIZE_EMAIL $field=filter_var($field, FILTER_SANITIZE_EMAIL); //filter_var() validates the e-mail //address using FILTER_VALIDATE_EMAIL if(filter_var($field, FILTER_VALIDATE_EMAIL)) { return TRUE; } else { return FALSE; } } if (isset($_REQUEST['email'])) {//if "email" is filled out, proceed //check if the email address is invalid $mailcheck = spamcheck($_REQUEST['email']); if ($mailcheck==FALSE) { echo "Invalid input"; } else {//send email $email = $_REQUEST['email'] ; $subject = $_REQUEST['subject'] ; $message = $_REQUEST['message'] ; mail("[email protected]", "Subject: $subject", $message, "From: $email" ); echo "Thank you for using our mail form"; } } else {//if "email" is not filled out, display the form echo "<form method='post' action='mailform.php'> Email: <input name='email' type='text' /><br /> Subject: <input name='subject' type='text' /><br /> Message:<br /> <textarea name='message' rows='15' cols='40'> </textarea><br /> <input type='submit' /> </form>"; } ?> </body> </html>
- The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string.
- The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address.
You can read more about filters in our PHP Filter chapter.
Results 1 to 1 of 1
Thread: PHP Secure E-Mail
-
03-03-2011 #1
DEADBEEF
Join Date : Nov 2010
Posts : 777
ArrayPHP Secure E-Mail
Similar Threads
-
[YouTube] Royal Mail are a Disgrace! @RoyalMail
By THUMBS in forum Youtube FamousReplies: 0Last Post: 08-31-2014, 05:34 PM -
PHP Mail
By JizzaBeez in forum Tutorials and ResourcesReplies: 0Last Post: 03-03-2011, 12:13 PM
Visitors found this page by searching for:
Tags for this Thread
Posting Permissions
