Protecting PHP email form from injection?

I've heard of PHP forms being abused to send email from the person the form is supposed to send to. Is this an actual problem, and if so, how can it be fixed? Is it similar to preventing SQL injection?

Answers


You're talking about email injection security vulnerability. For example, if you're passing custom headers to the mail() function like in the following code sample, you're vulnerable:

<?php
$additional_headers = "Reply-To: {$_GET['user_email']}";
mail($to, $subject, $message, $additional_headers);
?>

Consider that a malicious user passes not only his email, but also additional headers like this:

<?php
//$_GET['user_email'] = "me@example.net";// this is what you expect
// this is what you're getting actually
$_GET['user_email'] = "me@example.net\r\nBcc: someone@example.net, ...";
?>

Then a malicious user would send a carbon copy of his supposedly SPAM-ridden message to a virtually unlimited list of users from your server under your name. One can even replace your message completely with his own this way by adding certain otherwise-safe MIME headers. You can only imagine to what consequences this can lead!

Solution is simple: don't trust anything you receive from a user, and filter/validate the received data.


Need Your Help

ClientX and ClientY Reference Error in firefox?

javascript jquery html css firefox

I have a simple jquery program where a div should get displayed based on co-ordinates

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.