PHPpod.com - Custom PHP scripts, PHP articles and tutorials. Custom programming

Home

PHP Tutorials

Translate This Website

Thursday, 11 March 2010

Web Development

Request a Quote

Script Categories

RSS Media Grabber Funny Videos & Pictures Life Stories (Flash) Video Search & Download Video Downloader Script Country on Sale Advanced Polls Phone Upload/SMS Scripts PhotoCube Script SlideShow Creation Script Create Custom Smiley Script Short URLs & Subdomains Put your text on images Watermark & Image Hosting Joomla Components Low Cost Scripts

Partners

Online HTML Editor

Wordpress Themes

Broadband Speed Test

Wireless Networking Store

San Francisco Taxi

Free Adwords Tutorial

PHP Secure E-mails

PHP E-mail Injections

First, look at the PHP code from the previous chapter:

<html>
<body>

<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail(" ", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

</body>
</html>

The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.

What happens if the user adds the following text to the email input field in the form?

%0ACc:
%0ABcc: , ,
,
%0ABTo:

The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
PHP Stopping E-mail Injections

The best way to stop e-mail injections is to validate the input.

The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:

<html>
<body>

<?php
function spamcheck($field)
{
//eregi() performs a case insensitive regular expression match
if(eregi("to:",$field) || eregi("cc:",$field))
    {
    return TRUE;
    }
else
    {
    return FALSE;
    }
}

//if "email" is filled out, send email
if (isset($_REQUEST['email']))
{
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==TRUE)
    {
    echo "Invalid input";
    }
else
    {
    //send email
    $email = $_REQUEST['email'] ;
    $subject = $_REQUEST['subject'] ;
    $message = $_REQUEST['message'] ;
    mail(" ", "Subject: $subject",
    $message, "From: $email" );
    echo "Thank you for using our mail form";
    }
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

</body>
</html>

Credit: www.w3schools.com

Free social bookmarking plugins and extensions for Joomla! websites!

< Prev		Next >

[ Back ]

Show Cart
Your Cart is currently empty.

Services

Login Form
Name: Username: E-mail: Password: Verify Password: Go back to Login Please enter your Username and e-mail address then click on the Send Password button. You will receive a new password shortly. Use this new password to access the site. Username: E-mail Address: Go back to Login Or Register Username: Password: Remember me Lost Password? No account yet? Register Hi,

On Sale

RSS Media Grabber - Get 100s of Videos

~~$129.00~~
$12.90
You Save: 90.00%
Add to Cart

Home Announcements Support Newsletter Forum PHP Articles PHP Tutorials Scripts FAQs Free Scripts Links Contacts