martina Posted August 1, 2009 Share Posted August 1, 2009 Hi I need help - with php that is. I have done loads of research on sites regarding header injection on php processed emails from forms. I don't know if I am more lost now than before. I have the following code, can you please look at it and tell me am I now secure. Php processing file <?php $recipient = "my email address here"; $error = ""; $name = $_POST['name']; $email = $_POST['email']; $subject = "Enquiry"; $phone = $_POST['phone']; $country = $_POST['country']; $adults = $_POST['adults']; $children = $_POST['children']; $age = $_POST['age']; $arrival_day = $_POST['arrival_day']; $arrival_month = $_POST['arrival_month']; $arrival_year = $_POST['arrival_year']; $departure_day = $_POST['departure_day']; $departure_month = $_POST['departure_month']; $departure_year = $_POST['departure_year']; $comments = $_POST['comments']; $verification = $_POST['verification']; $message = "Name: " . $name . "\n E-mail: " . $email . "\n Telephone: " . $phone . "\n Country: " . $country . "\n\n Number of Adults: " . $adults . "\n Number of Children: " . $children . "\n Age of Children: " . $age . "\n\n Date of Arrival: " . $arrival_day . "," . $arrival_month . "," . $arrival_year . "\n Date of Departure: " . $departure_day . "," . $departure_month . "," . $departure_year . "\n\n Comments: " . $comments . "\n"; $emailPattern = '/^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/'; if(!preg_match($emailPattern, $email)) { $error = "Incorrect Email.<br /><a href='javascript:history.back();'>Back</a><br /> "; } if(md5($verification) != $_COOKIE['tpverify']) { $error .= "Verification code is incorrect.<br /><a href='javascript:history.back();'>Back</a><br /> "; } if(stristr($comments,"http")!=FALSE) // does http appear in the text? { $error .= "No Links please.<br /><a href='javascript:history.back();'>Back</a><br /> "; } if (eregi("%0a", $email) || eregi("%0d", $email) || eregi("Content-Type:", $email) || eregi("bcc:", $email) || eregi("to:", $email) || eregi("cc:", $email)) { $error .= "Error with entered data. <br /><a href='javascript:history.back();'>Back</a><br />"; } if($error === "" && mail($recipient, $subject, $message, "FROM: $email", "-f$email")) { header("Location: thankyou.html"); } else { echo "$error"; } exit(); ?> The capthcha code is as follows: <?php header('Content-type: image/jpeg'); $width = 60; $height = 28; $my_image = imagecreatetruecolor($width, $height); imagefill($my_image, 0, 0, 0xA0A0A0); // add noise for ($c = 0; $c < 40; $c++){ $x = rand(0,$width-1); $y = rand(0,$height-1); imagesetpixel($my_image, $x, $y, 0x404040); } $x = rand(1,; $y = rand(1,; $rand_string = rand(1000,9999); imagestring($my_image, 5, $x, $y, $rand_string, 0x000000); setcookie('tpverify',(md5($rand_string))); imagejpeg($my_image); imagedestroy($my_image); ?> The above code seems to work. I receive the emails and the error messages appear when needed. Any help is much appreciated. Please remember I am new to php - especially security. Many Thanks Link to comment https://forums.phpfreaks.com/topic/168440-email-header-injection/ Share on other sites More sharing options...
ignace Posted August 1, 2009 Share Posted August 1, 2009 I have the following code, can you please look at it and tell me am I now secure. No, you are not. You can never be 100% sure, 99.9% at the most. If it isn't the code, then it's the server and if it isn't both it's a PHP bug or a MySQL bug. To many variables to be ever truly sure. Link to comment https://forums.phpfreaks.com/topic/168440-email-header-injection/#findComment-888530 Share on other sites More sharing options...
martina Posted August 1, 2009 Author Share Posted August 1, 2009 Thanks for the reply - It is so difficult for a person new to all this. I am scared of security issues to be honest. I really just want to know have I done my best. Am I ninety something % secure. Is there any flaws in my coding? Many thanks Link to comment https://forums.phpfreaks.com/topic/168440-email-header-injection/#findComment-888533 Share on other sites More sharing options...
ignace Posted August 2, 2009 Share Posted August 2, 2009 setcookie('tpverify',(md5($rand_string))); Don't store stuff in cookies use sessions instead: $_SESSION['tpverify'] = md5($rand_string); if(md5($verification) != $_SESSION['tpverify']) Link to comment https://forums.phpfreaks.com/topic/168440-email-header-injection/#findComment-888857 Share on other sites More sharing options...
martina Posted August 3, 2009 Author Share Posted August 3, 2009 Thanks for your advice. I have changed the files as follows: captcha file <?php session_start(); header('Content-type: image/jpeg'); $width = 60; $height = 28; $my_image = imagecreatetruecolor($width, $height); imagefill($my_image, 0, 0, 0xA0A0A0); // add noise for ($c = 0; $c < 40; $c++){ $x = rand(0,$width-1); $y = rand(0,$height-1); imagesetpixel($my_image, $x, $y, 0x404040); } $x = rand(1,; $y = rand(1,; $rand_string = rand(1000,9999); imagestring($my_image, 5, $x, $y, $rand_string, 0x000000); $_SESSION['verify']=md5($rand_string); imagejpeg($my_image); imagedestroy($my_image); ?> form processing file <?php session_start(); $recipient = "my email here"; $error = ""; $name = $_POST['name']; $email = $_POST['email']; $subject = "Enquiry"; $phone = $_POST['phone']; $country = $_POST['country']; $adults = $_POST['adults']; $children = $_POST['children']; $age = $_POST['age']; $arrival_day = $_POST['arrival_day']; $arrival_month = $_POST['arrival_month']; $arrival_year = $_POST['arrival_year']; $departure_day = $_POST['departure_day']; $departure_month = $_POST['departure_month']; $departure_year = $_POST['departure_year']; $comments = $_POST['comments']; $verification = $_POST['verification']; $message = "Name: " . $name . "\n E-mail: " . $email . "\n Telephone: " . $phone . "\n Country: " . $country . "\n\n Number of Adults: " . $adults . "\n Number of Children: " . $children . "\n Age of Children: " . $age . "\n\n Date of Arrival: " . $arrival_day . "," . $arrival_month . "," . $arrival_year . "\n Date of Departure: " . $departure_day . "," . $departure_month . "," . $departure_year . "\n\n Comments: " . $comments . "\n"; $emailPattern = '/^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/'; if(!preg_match($emailPattern, $email)) { $error = "Incorrect Email.<br /><a href='javascript:history.back();'>Back</a><br /> "; } if(md5($verification) != $_SESSION['verify']) { $error .= "Verification code is incorrect.<br /><a href='javascript:history.back();'>Back</a><br /> "; } if(stristr($comments,"http")!=FALSE) // does http appear in the text? { $error .= "No Links please.<br /><a href='javascript:history.back();'>Back</a><br /> "; } if (eregi("%0a", $email) || eregi("%0d", $email) || eregi("Content-Type:", $email) || eregi("bcc:", $email) || eregi("to:", $email) || eregi("cc:", $email)) { $error .= "Error with entered data. <br /><a href='javascript:history.back();'>Back</a><br />"; } if($error === "" && mail($recipient, $subject, $message, "FROM: $email", "-f$email")) { header("Location: thankyou.html"); } else { echo "$error"; } exit(); ?> I would appreciate any comments Link to comment https://forums.phpfreaks.com/topic/168440-email-header-injection/#findComment-890030 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.