PHPpod.com - Custom PHP scripts, PHP articles and tutorials. Custom programming

Home

PHP Tutorials

Translate This Website

Sunday, 07 September 2008

Web Development

Request a Quote

Script Categories

RSS Media Grabber Funny Videos & Pictures Life Stories (Flash) Video Search & Download Video Downloader Script Country on Sale Advanced Polls Phone Upload/SMS Scripts PhotoCube Script SlideShow Creation Script Make Confessions Scripts Guitar Tabs Scripts Create Custom Smiley Script Short URLs & Subdomains Hot Or Not Game Scripts Put your text on images Watermark & Image Hosting Joomla Components Low Cost Scripts

Partners

WEBSITE TRAFFIC

Pissed Customers

Credit Cards

Broadband Tweaks & Info

eBay Sniping Software

php scripts directory

PHP Secure E-mails

PHP E-mail Injections

First, look at the PHP code from the previous chapter:

<html>
<body>

<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail(" ", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

</body>
</html>

The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.

What happens if the user adds the following text to the email input field in the form?

%0ACc:
%0ABcc: , ,
,
%0ABTo:

The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
PHP Stopping E-mail Injections

The best way to stop e-mail injections is to validate the input.

The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:

<html>
<body>

<?php
function spamcheck($field)
{
//eregi() performs a case insensitive regular expression match
if(eregi("to:",$field) || eregi("cc:",$field))
    {
    return TRUE;
    }
else
    {
    return FALSE;
    }
}

//if "email" is filled out, send email
if (isset($_REQUEST['email']))
{
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==TRUE)
    {
    echo "Invalid input";
    }
else
    {
    //send email
    $email = $_REQUEST['email'] ;
    $subject = $_REQUEST['subject'] ;
    $message = $_REQUEST['message'] ;
    mail(" ", "Subject: $subject",
    $message, "From: $email" );
    echo "Thank you for using our mail form";
    }
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

</body>
</html>

Credit: www.w3schools.com

Free social bookmarking plugins and extensions for Joomla! websites!

< Prev		Next >

[ Back ]

Show Cart
Your Cart is currently empty.

Services

Login Form
Name: Username: E-mail: Password: Verify Password: Go back to Login Please enter your Username and e-mail address then click on the Send Password button. You will receive a new password shortly. Use this new password to access the site. Username: E-mail Address: Go back to Login Or Register Username: Password: Remember me Lost Password? No account yet? Register Hi,

On Sale

PhotoCube

~~$44.99~~
$24.99
You Save: $20.00
Add to Cart

Home Announcements Support Newsletter Forum PHP Articles PHP Tutorials Scripts FAQs Free Scripts Links Contacts