Do I need to protect a mail form from mailcious attacks, and if so how?

[matt.sisto]

Its just a quick question about protecting my email form I have found this script online and I was wondering if it is sufficient to prevent malicious intent?

 

$spamErrorMessage = "No URLs permitted";
if (preg_match("http/i", "$variable")) {
  echo $spamErrorMessage;
  exit();
}

 

I'm just thinking that this wouldn't prevent a user from bcc'ing lots of people.

 

Any advice appreciated.

[MadTechie]

Well that RegEx isn't even valid!

"http/i"

should atleast be

"/http/i"

it doesn nothing to protect against bcc's it check to see if http exists in the $variable, as which stripos would be quicker!..

 

heres a quick version that will probably work.

 

basically it check for newlines content-type:, to:, cc:, bcc in the body and just newlines in the email and to fields

 

 

<?php
//check valid email
if(!validemail($email))
{
die("invalid email");
}

//check name  + email
if(!(has_no_newlines($name) && has_no_newlines($email) && (has_no_emailheaders($body)))
{
die("Inject detected");
}

function has_no_newlines($text)
{
   return preg_match("/(%0A|%0D|\n+|\r+)/i", $text);
}

function has_no_emailheaders($text)
{
   return preg_match("/(%0A|%0D|\n+|\r+)(content-type:|to:|cc:|bcc:)/i", $text);
}

function validemail($email)
{
return (preg_match("/^[A-Z0-9._%-]+@[A-Z0-9.-]+.[A-Z]{2,4}$/i",$email))
}

?>