Go Back   Wiki NewForum | Latest Entertainment News > Career Forum & Tips > Tech Forum & Tutorial > PHP Forum & Tutorial
Reload this Page PHP Secure E-mails
Register Latest TV News Latest Film News Latest Sports News Health & Food Tips Best of 2022 TOP 10


PHP Secure E-mails
Reply
Views: 1929  
Thread Tools Rate Thread
  #1  
Old 05-04-2009, 05:26 PM
welcomewiki welcomewiki is offline
Member
  
Join Date: Dec 2008
Location: India
Posts: 80,566
Default PHP Secure E-mails
There is a weakness in the PHP e-mail script in the previous chapter.
PHP E-mail Injections

First, look at the PHP code from the previous chapter:





if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "

Email:

Subject:

Message:




";
}
?>




The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.




What happens if the user adds the following text to the email input field in the form?




someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo:person6@example.com



The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit ****on, the e-mail will be sent to all of the addresses above!




PHP Stopping E-mail Injections

The best way to stop e-mail injections is to validate the input.




The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:






function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);

//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
} if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed //check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{//if "email" is not filled out, display the form
echo "

Email:

Subject:

Message:




";
}
?>




In the code above we use PHP filters to validate input:
  • The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
  • The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address


Similar Threads:
Reply With Quote
Reply

New topics in PHP Forum & Tutorial


« Previous Thread | New Posts | Array TOP 10 | Next Thread »


One Minute Videos - Best of 2022 - TV Buzz - Biography - TOP 10 - Tags - Contact Us


Powered by vBulletin® Version 3.8.10
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
WikiNewForum)