designsguru: PHP E-mail Injections

Wednesday, March 9, 2011

PHP E-mail Injections

PHP E-mail Injections

First, look at the PHP code from the previous chapter:

if (isset($_REQUEST['email']))
//if "email" is filled out, send email
  {
  //send email
  $email = $_REQUEST['email'] ;
  $subject = $_REQUEST['subject'] ;
  $message = $_REQUEST['message'] ;
  mail("someone@example.com", "Subject: $subject",
  $message, "From: $email" );
  echo "Thank you for using our mail form";
  }
else
//if "email" is not filled out, display the form
  {
  echo "
";
  }
?>

The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.

What happens if the user adds the following text to the email input field in the form?
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com

The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
PHP Stopping E-mail Injections

The best way to stop e-mail injections is to validate the input.

Managing Online Forums: Everything You Need to Know to Create and Run Successful Community Discussion Boards

The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:

function spamcheck($field)
  {
  //filter_var() sanitizes the e-mail
  //address using FILTER_SANITIZE_EMAIL
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);

  //filter_var() validates the e-mail
  //address using FILTER_VALIDATE_EMAIL
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
   {
   return TRUE;
   }
  else
   {
   return FALSE;
   }
  }

if (isset($_REQUEST['email']))
  {//if "email" is filled out, proceed

  //check if the email address is invalid
  $mailcheck = spamcheck($_REQUEST['email']);
  if ($mailcheck==FALSE)
   {
   echo "Invalid input";
   }
  else
   {//send email
   $email = $_REQUEST['email'] ;
   $subject = $_REQUEST['subject'] ;
   $message = $_REQUEST['message'] ;
   mail("someone@example.com", "Subject: $subject",
   $message, "From: $email" );
   echo "Thank you for using our mail form";
   }
  }
else
  {//if "email" is not filled out, display the form
  echo "
";
  }
?>

In the code above we use PHP filters to validate input:

The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address

You can read more about filters in our PHP Filter chapter.


http://garhwalbati.blogspot.com Web

designsguru

icubesire

snap deal

revenuehits

designsguru home

Search in Desigs Guru

Wednesday, March 9, 2011

PHP E-mail Injections

No comments:

Post a Comment

LinkWithin

ad

ad

FiveLead

iPhone 4 i cube

ICubeswire

adclick

Indian Stock Exchange

Jobs

upload your video, mp3, photo, documents & share

Rss Feed

Find Your Domain Name & Get Discount

Infolinks In Text Ads

Daily News Updates

Description of Designsguru

Popular Posts

text ad

Total Pageviews

Reviews

E-Commerce Times

Infolinks In Text Ads

ghaur bati

Latest Movies Song Download

Subscribe To

Latest News Updates

LIVE CRICKET

adBrite

Search in Designs Guru

EARN MONEY WITH YOUR RESUME

find job

HINDI & ENGLISH FM RADIO

Followers

Contributors

Blog Archive

shadi

Get Domain Name with Godaddy

images ad

propeller ads

search

Latest News Updates

Search This Blog

freelancer work for graphics designing & web designing

infolink