Cyberdave Posted November 19, 2009 Share Posted November 19, 2009 How do I go about validating my form to prevent email header injection with php. Here is my code: <?php $error = array(); if(isset($_POST['submit'])) { if (empty($_POST['name']) || empty($_POST['phone']) || empty($_POST['email']) || empty($_POST['message']) ){ $error[] = "Please fill in the all of the form fields"; } } $to = "[email protected]"; $subject = "Email from Website"; $name_field = $_POST['name']; $phone_field = $_POST['phone']; $email_field = $_POST['email']; $message = $_POST['message']; //haven't got a clue why this loop is here so is commented out /*foreach($_POST['check'] as $value) { $check_msg .= "\n$value\n"; }*/ $body = "Name: $name_field\n\n E-Mail: $email_field\n\n Phone: $phone_field\n\n Message:\n\n $message\n\n"; $header="From: $email_field\r\n"; if(empty($error)){ mail($to, $subject, $body,$header); header("Location: thanks.php"); exit(); } else { echo "The email has not been sent:<br />"; foreach($error as $x=>$y){ echo $y."<br />"; } //and here you can show the form to be re-submited after fixing the issues. } ?> Link to comment https://forums.phpfreaks.com/topic/182131-validating-php-mailer-to-prevent-email-header-injection/ Share on other sites More sharing options...
cags Posted November 19, 2009 Share Posted November 19, 2009 Since the only user entered value you are inserting into the headers is $email_field, I believe that if you simply validate that as a valid e-mail it should automatically negate any ability to inject your headers. On a side note though you may wish to change your header to something along the lines of... $headers = "From: [email protected]\r\n"; $headers .= "Reply-To: {$email_field}\r\n"; // the address inserted into To: field on reply $headers .= "Return-Path: {$email_field}\r\n"; // same as above supported by different clients Otherwise you could struggle if you have any spam filters on the recieving account. Link to comment https://forums.phpfreaks.com/topic/182131-validating-php-mailer-to-prevent-email-header-injection/#findComment-960918 Share on other sites More sharing options...
Cyberdave Posted November 19, 2009 Author Share Posted November 19, 2009 Since the only user entered value you are inserting into the headers is $email_field, I believe that if you simply validate that as a valid e-mail it should automatically negate any ability to inject your headers. On a side note though you may wish to change your header to something along the lines of... $headers = "From: [email protected]\r\n"; $headers .= "Reply-To: {$email_field}\r\n"; // the address inserted into To: field on reply $headers .= "Return-Path: {$email_field}\r\n"; // same as above supported by different clients Otherwise you could struggle if you have any spam filters on the recieving account. So, this is how the code should look? How do I go about validating my form to prevent email header injection with php. Here is my code: <?php $error = array(); if(isset($_POST['submit'])) { if (empty($_POST['name']) || empty($_POST['phone']) || empty($_POST['email']) || empty($_POST['message']) ){ $error[] = "Please fill in the all of the form fields"; } } $to = "[email protected]"; $subject = "Email from Website"; $name_field = $_POST['name']; $phone_field = $_POST['phone']; $email_field = $_POST['email']; $message = $_POST['message']; //haven't got a clue why this loop is here so is commented out /*foreach($_POST['check'] as $value) { $check_msg .= "\n$value\n"; }*/ $body = "Name: $name_field\n\n E-Mail: $email_field\n\n Phone: $phone_field\n\n Message:\n\n $message\n\n"; $headers = "From: [email protected]\r\n"; $headers .= "Reply-To: {$email_field}\r\n"; // the address inserted into To: field on reply $headers .= "Return-Path: {$email_field}\r\n"; // same as above supported by different clients if(empty($error)){ mail($to, $subject, $body,$header); header("Location: thanks.php"); exit(); } else { echo "The email has not been sent:<br />"; foreach($error as $x=>$y){ echo $y."<br />"; } //and here you can show the form to be re-submited after fixing the issues. } ?> Link to comment https://forums.phpfreaks.com/topic/182131-validating-php-mailer-to-prevent-email-header-injection/#findComment-961088 Share on other sites More sharing options...
cags Posted November 19, 2009 Share Posted November 19, 2009 You need to validate the variable that contains the e-mail they entered is an e-mail address, this can be done through either an email validation class, or if your not bothered about being 100% compliant a simple Regular Expression using preg_match. A simple search of either this sort or even google will give you 1000s of examples of how to validate an e-mail address. Link to comment https://forums.phpfreaks.com/topic/182131-validating-php-mailer-to-prevent-email-header-injection/#findComment-961119 Share on other sites More sharing options...
Cyberdave Posted November 19, 2009 Author Share Posted November 19, 2009 You need to validate the variable that contains the e-mail they entered is an e-mail address, this can be done through either an email validation class, or if your not bothered about being 100% compliant a simple Regular Expression using preg_match. A simple search of either this sort or even google will give you 1000s of examples of how to validate an e-mail address. Yes, I have tried a few of these, but I cannot get it to work. I am a newbie to PHP. I'm really sure what I am doing TBH. Link to comment https://forums.phpfreaks.com/topic/182131-validating-php-mailer-to-prevent-email-header-injection/#findComment-961169 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.