slpctrl Posted August 20, 2008 Share Posted August 20, 2008 I've recently come across a problem with email injection, and the injection of additional email headers in my contact page. I'm a bit rusty with PHP, I found this function on the web to prevent it: <?php //email injection prevention function function mailcheck($input) { if (eregi(”\r”, $input) || eregi(”\n”, $input) || eregi(”%0a”, $input) || eregi(”%0d”, $input) || eregi(”Content-Type:”, $input) || eregi(”bcc:”, $input) || eregi(”to:”, $input) || eregi(”cc:”, $input)) { return true; } else { return false; } } $name = $_POST['name']; $email = $_POST['email']; $message = $_POST['message']; Now, that's what I've got so far on my new script. How can I alert a message box notifying of illegal characters if mailcheck returns false, and allow it to mail if it returns true? Thanks in advance Quote Link to comment https://forums.phpfreaks.com/topic/120618-solved-email-injection/ Share on other sites More sharing options...
DeanWhitehouse Posted August 20, 2008 Share Posted August 20, 2008 I would look at the w3school tutorial on it , as it may be better and more secure. And to do what you want add if(!mailcheck('$email')) { ?> <script type="javascript"> alert("Invalid"); </script> <?php } else { //mail } Quote Link to comment https://forums.phpfreaks.com/topic/120618-solved-email-injection/#findComment-621523 Share on other sites More sharing options...
kenrbnsn Posted August 20, 2008 Share Posted August 20, 2008 Nine times out of ten (or more), email injections are coming from programs, not people. Don't even bother with an error message, just end your script. The programs are made by hackers who screen scraped your generated source. Ken Quote Link to comment https://forums.phpfreaks.com/topic/120618-solved-email-injection/#findComment-621545 Share on other sites More sharing options...
slpctrl Posted August 21, 2008 Author Share Posted August 21, 2008 Nine times out of ten (or more), email injections are coming from programs, not people. Don't even bother with an error message, just end your script. The programs are made by hackers who screen scraped your generated source. Ken Yeah, I know. Here is my more secure script: <?php function mailcheck($input) { if (eregi(”\r”, $input) || eregi(”\n”, $input) || eregi(”%0a”, $input) || eregi(”%0d”, $input) || eregi(”Content-Type:”, $input) || eregi(”bcc:”, $input) || eregi(”to:”, $input) || eregi(”cc:”, $input)) { return true; } else { return false; } } $name = $_POST['name']; $email = $_POST['email']; $message = $_POST['message']; $msg = "Name: $name<br>Email Address: $email<br>Message: $message"; if(!mailcheck($email) || !mailcheck($email)) die(); else { mail("email@email.com","Website Inquiry",$msg); header('location: index.htm'); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/120618-solved-email-injection/#findComment-621574 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.