matt.sisto Posted March 31, 2009 Share Posted March 31, 2009 Its just a quick question about protecting my email form I have found this script online and I was wondering if it is sufficient to prevent malicious intent? $spamErrorMessage = "No URLs permitted"; if (preg_match("http/i", "$variable")) { echo $spamErrorMessage; exit(); } I'm just thinking that this wouldn't prevent a user from bcc'ing lots of people. Any advice appreciated. Quote Link to comment https://forums.phpfreaks.com/topic/151905-do-i-need-to-protect-a-mail-form-from-mailcious-attacks-and-if-so-how/ Share on other sites More sharing options...
MadTechie Posted March 31, 2009 Share Posted March 31, 2009 Well that RegEx isn't even valid! "http/i" should atleast be "/http/i" it doesn nothing to protect against bcc's it check to see if http exists in the $variable, as which stripos would be quicker!.. heres a quick version that will probably work. basically it check for newlines content-type:, to:, cc:, bcc in the body and just newlines in the email and to fields <?php //check valid email if(!validemail($email)) { die("invalid email"); } //check name + email if(!(has_no_newlines($name) && has_no_newlines($email) && (has_no_emailheaders($body))) { die("Inject detected"); } function has_no_newlines($text) { return preg_match("/(%0A|%0D|\n+|\r+)/i", $text); } function has_no_emailheaders($text) { return preg_match("/(%0A|%0D|\n+|\r+)(content-type:|to:|cc:|bcc:)/i", $text); } function validemail($email) { return (preg_match("/^[A-Z0-9._%-]+@[A-Z0-9.-]+.[A-Z]{2,4}$/i",$email)) } ?> Quote Link to comment https://forums.phpfreaks.com/topic/151905-do-i-need-to-protect-a-mail-form-from-mailcious-attacks-and-if-so-how/#findComment-797774 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.