Jump to content

email injection attack

orange08

By orange08
in PHP Coding Help

Recommended Posts

orange08 Regular Member

orange08

Posted
Posted

i have read some tutorials about email injection attack...and found some points...

can anyone please confirm these points for me...?

 

1. it's perform through site provided form that send email, but not the email that the application send internally through hard code?

 

2. to prevent it, just to validate the form email address field entered by user, to make sure it contains no newlines (\n) and carriage returns (\r)?

 

if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {

[... direct user to an error page and quit ...]

}

$name is user name, $email is user email address entered by user in the form...

Link to comment
https://forums.phpfreaks.com/topic/174199-email-injection-attack/
Share on other sites
Bricktop Regular Member

Bricktop

Posted
Posted

Hi orange08,

 

Email injection attacks are performed by a user entering malicious code into a form which does not have the necessary validation in place to remove this malicious code.

 

For basic prevention, it's best to check for newline characters where there shouldn't be any and for the following:

 

"Content-Type:",

"To:",

"Cc:",

"Bcc:"

 

So you could easily check for newlines with:

 

if (eregi("\r",$_POST['enter_a_posted_variable_to_check'] || eregi("\n",$_POST['enter_a_posted_variable_to_check'])){ 
echo "Hack Attempt!";
}

 

To check for the other words, stick them in an array called $illegalchars (for example) and then you can use a loop like below to check all of the POSTed data:

 

foreach ($_POST as $key => $value){ 
      $$key = $value; 
      
      foreach($illegalchars as $illegalchar){ 
       //If any text matching the text contined in the illegalchars[] array is found display the below error
         if(stripos($value,$illegalchar) !== FALSE){  
            echo "Hack Attempt!";
         } 
      }

 

Hope this helps.

orange08 Regular Member

orange08

Posted
  • Author
Posted

Hi orange08,

 

Email injection attacks are performed by a user entering malicious code into a form which does not have the necessary validation in place to remove this malicious code.

 

For basic prevention, it's best to check for newline characters where there shouldn't be any and for the following:

 

"Content-Type:",

"To:",

"Cc:",

"Bcc:"

 

So you could easily check for newlines with:

 

if (eregi("\r",$_POST['enter_a_posted_variable_to_check'] || eregi("\n",$_POST['enter_a_posted_variable_to_check'])){ 
echo "Hack Attempt!";
}

 

To check for the other words, stick them in an array called $illegalchars (for example) and then you can use a loop like below to check all of the POSTed data:

 

foreach ($_POST as $key => $value){ 
      $$key = $value; 
      
      foreach($illegalchars as $illegalchar){ 
       //If any text matching the text contined in the illegalchars[] array is found display the below error
         if(stripos($value,$illegalchar) !== FALSE){  
            echo "Hack Attempt!";
         } 
      }

 

Hope this helps.

 

ok, it's nearly about what i have understand...

 

so, if i have many fields in the form, then all the fields must be validated before the mail is sent?

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.