cancel
Showing results for 
Search instead for 
Did you mean: 

Avoiding Email Injection - .php script

ChrissyD
Dabbler
Posts: 13
Registered: ‎06-08-2007

Avoiding Email Injection - .php script

Hi,  I just completed a brochure request script in .php.   I understand that I now need to Secure the Mail code within my script to avoid Email Injection by Spammers.   
I`m not clued up at this moment as to how to do this, or for that matter on how Spammers hijack email addresses.   
Is there anyone at Plusnet that could recommend what lines of script i need to do this, or, point me to some good reference pages please.
The script I`ve done for sending looks like this :
<?php
  $title = "Title: " . $_REQUEST['title'] . chr(13) ;
  $christianname = "Christian name: " . $_REQUEST['christianname'] . chr(13) ;
  $surname = "Surname: " . $_REQUEST['surname'] . chr(13) ;
  $company = "Company: " . $_REQUEST['company'] . chr(13) ;
  $street = "Street: " . $_REQUEST['street'] . chr(13) ;
  $town = "Town: " . $_REQUEST['town'] . chr(13) ;
  $county = "County: " . $_REQUEST['county'] . chr(13) ;
  $postcode = "Postcode: " . $_REQUEST['postcode'] . chr(13) ;
  $tel = "Tel: " . $_REQUEST['tel'] . chr(13) ;
  $fax = "Fax: " . $_REQUEST['fax'] . chr(13) ;
  $select = "Select " . $_REQUEST['select'] . chr(13) ;
  $message = "Message: " . $_REQUEST['message'] . chr(13) ;
  mail( "xxxxxx@xxxxxxxxx.co.uk", "Feedback Form Results",
    $title . $christianname . $surname . $company . $street . $town . $county . $postcode . $tel . $fax . $select . $message, "From: $email" );

   header( "Location: http://ccgi.xxxxxxxxx.xxxxxxxxxxxxx.co.uk/cgi-bin/thankyou.php?title=".$_REQUEST['title']."&surname=".$_REQUEST['surname']);?>

Any help would be appreciated
Just one other quick suggestion,  the forum page would be better if the person asking the question could tick a 'solved' box.  In turn a Tick appears against the question on the forum pages,  so that people know who is still struggling and who has had some satisfactory answers .... 

Chris
8 REPLIES 8
oliverb
Grafter
Posts: 606
Registered: ‎02-08-2007

Re: Avoiding Email Injection - .php script

Non expert opinion...
You've taken care of one threat by hardcoding your email address.
Apparently another big threat is the "from" email address. Most scripts of this type use the email address from the form as the "From:" address. By returning multiple lines in the email field a spammer can inject a Bcc: (Blind carbon copy) line into the email header. This causes the email to be CC'd to the addresses they added.
It follows that the "from" address must be "sanitised" to remove linefeeds, or validated.
ChrissyD
Dabbler
Posts: 13
Registered: ‎06-08-2007

Re: Avoiding Email Injection - .php script

Hi Oliverb,  Thanks for that,  that is a good summary of what I`ve just read.  I`ve just found the code that I need now to validate emails (persistance pays !!).  If anyone gets stuck on this in the future let me know and I`ll post the link.
Cheers again for yr help.
Chris
Peter_Vaughan
Community Veteran
Posts: 14,469
Registered: ‎30-07-2007

Re: Avoiding Email Injection - .php script


// Validate email addresses
function validate_email_address($email) {
  // First, we check that there's one @ symbol, and that the lengths are right
  if (!ereg("[^@]{1,64}@[^@]{1,255}", $email)) {
    // Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
    return false;
  }
  // Split it into sections to make life easier
  $email_array = explode("@", $email);
  $local_array = explode(".", $email_array[0]);
  for ($i = 0; $i < sizeof($local_array); $i++) {
    if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
      return false;
    }
  } 
  if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
    $domain_array = explode(".", $email_array[1]);
    if (sizeof($domain_array) < 2) {
        return false; // Not enough parts to domain
    }
    for ($i = 0; $i < sizeof($domain_array); $i++) {
      if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
        return false;
      }
    }
  }
  return true;
}

ChrissyD
Dabbler
Posts: 13
Registered: ‎06-08-2007

Re: Avoiding Email Injection - .php script

Oh Wow,  that`s even better still !!!    Thanks very much for your help Peter.  Just one question,  If you had a brochure.php script that contains an email form to fill in and a submit button  OR  a sendmail.php file which actually mails the information,  which page would the code usually be put into ?
Chris
Peter_Vaughan
Community Veteran
Posts: 14,469
Registered: ‎30-07-2007

Re: Avoiding Email Injection - .php script

I use a single .php file containing the form, validation and mail() call and when the submt button is pressed it calls itself to validate and then send the email. You then do a header() redirect to a thankyou page.
That way if the validation fails you just reshow the form page with a suitable error message in the correct place. If the validation is OK you just call the mail() function call with the details entered then redirect to the thankyou.php page - or you could do that all within the same php file as well.
SoulBriski
Grafter
Posts: 179
Registered: ‎15-06-2007

Re: Avoiding Email Injection - .php script

This is handy. I'm just looking at the redirect thing myself.
I do the same as Peter. One page that reloads itslef according to the circumstances. Display the form to be filled in, reload to validate and send the email, if ok display thanks, if not display problem.
However, i don't use the redirect option because I know that the header("Location: $url") has to come before any html output so i struggled with that bit.
I must assume that ChrissyD's  code at the start of this thread is at the very beginning of the php script and that there are no white spaces or html output before the header("Location: $url") line?
ChrissyD
Dabbler
Posts: 13
Registered: ‎06-08-2007

Re: Avoiding Email Injection - .php script

SoulBriski,  I`ve created 3 pages Brochure.php (which is the form to fill in).  Sendmail.php (which is the code shown above,  this is the entire code within this file ie. no html).  And Thankyou.php (which acknowledges that information has been sent / received).
I`ve got this all running smoothly with 3 files,  but i`ll have a go at putting Brochure + Sendmail + Email Validation Script all into one.
Prod_Man
Grafter
Posts: 286
Registered: ‎04-08-2007

Re: Avoiding Email Injection - .php script

Yeah,
the Email Verification Code is all nice and dany but... just one thing,
are those Regular Expressions safe of the good old Regular Expression Delimiter "injection"?
because it's all very well haveing Regular Expressions, but I've known them to be reversed in the pase with SQL Injection Protection Methods (Had one of my group sites injected several times by Turks).
The protection was that bad by default, it couldn't cut it because there was no way of stopping it unless you used another filter around the $_GET / $_POST Variables, as to remove the delimiters or protect the script with "die();" or "exit;"
that meant another hunk of protection code where necessary.
(which I did by hand in the end, and so far nothing has sucessfully got through...)
Delimieters were something along the lines of
*//* or there abouts.. perhapse escaped by \x or %
Just some thoughts.
Jim,