Jump to content

Validating PHP Mailer to Prevent Email Header Injection

Cyberdave

By Cyberdave
in PHP Coding Help

 Share

Recommended Posts

Cyberdave Member

Cyberdave

Posted
Posted

How do I go about validating my form to prevent email header injection with php.

 

Here is my code:

 

<?php
$error = array();
if(isset($_POST['submit'])) {
if (empty($_POST['name'])  || empty($_POST['phone'])  || empty($_POST['email'])  || empty($_POST['message']) ){
$error[] = "Please fill in the all of the form fields";
}
}

$to = "client@clientswebaddress.com";
$subject = "Email from Website";
$name_field = $_POST['name'];
$phone_field = $_POST['phone'];
$email_field = $_POST['email'];
$message = $_POST['message'];
//haven't got a clue why this loop is here so is commented out
/*foreach($_POST['check'] as $value) {
$check_msg .= "\n$value\n";
}*/
$body = "Name: $name_field\n\n E-Mail: $email_field\n\n Phone: $phone_field\n\n Message:\n\n $message\n\n";
$header="From: $email_field\r\n";
if(empty($error)){
mail($to, $subject, $body,$header);
header("Location: thanks.php");
exit();
} else {
echo "The email has not been sent:<br />";
foreach($error as $x=>$y){
echo $y."<br />";
}
//and here you can show the form to be re-submited after fixing the issues.
}
?>

Link to comment
Share on other sites
cags Member

cags

Posted
Posted

Since the only user entered value you are inserting into the headers is $email_field, I believe that if you simply validate that as a valid e-mail it should automatically negate any ability to inject your headers. On a side note though you may wish to change your header to something along the lines of...

 

$headers = "From: noreply@yourdomain.com\r\n";
$headers .= "Reply-To: {$email_field}\r\n"; // the address inserted into To: field on reply
$headers .= "Return-Path: {$email_field}\r\n"; // same as above supported by different clients

Otherwise you could struggle if you have any spam filters on the recieving account.

Link to comment
Share on other sites
Cyberdave Member

Cyberdave

Posted
  • Author
Posted

Since the only user entered value you are inserting into the headers is $email_field, I believe that if you simply validate that as a valid e-mail it should automatically negate any ability to inject your headers. On a side note though you may wish to change your header to something along the lines of...

 

$headers = "From: noreply@yourdomain.com\r\n";
$headers .= "Reply-To: {$email_field}\r\n"; // the address inserted into To: field on reply
$headers .= "Return-Path: {$email_field}\r\n"; // same as above supported by different clients

Otherwise you could struggle if you have any spam filters on the recieving account.

 

So, this is how the code should look?

 

How do I go about validating my form to prevent email header injection with php.

 

Here is my code:

 

<?php
$error = array();
if(isset($_POST['submit'])) {
if (empty($_POST['name'])  || empty($_POST['phone'])  || empty($_POST['email'])  || empty($_POST['message']) ){
$error[] = "Please fill in the all of the form fields";
}
}

$to = "client@clientswebaddress.com";
$subject = "Email from Website";
$name_field = $_POST['name'];
$phone_field = $_POST['phone'];
$email_field = $_POST['email'];
$message = $_POST['message'];
//haven't got a clue why this loop is here so is commented out
/*foreach($_POST['check'] as $value) {
$check_msg .= "\n$value\n";
}*/
$body = "Name: $name_field\n\n E-Mail: $email_field\n\n Phone: $phone_field\n\n Message:\n\n $message\n\n";
$headers = "From: noreply@yourdomain.com\r\n";
$headers .= "Reply-To: {$email_field}\r\n"; // the address inserted into To: field on reply
$headers .= "Return-Path: {$email_field}\r\n"; // same as above supported by different clients
if(empty($error)){
mail($to, $subject, $body,$header);
header("Location: thanks.php");
exit();
} else {
echo "The email has not been sent:<br />";
foreach($error as $x=>$y){
echo $y."<br />";
}
//and here you can show the form to be re-submited after fixing the issues.
}
?>

Link to comment
Share on other sites
cags Member

cags

Posted
Posted

You need to validate the variable that contains the e-mail they entered is an e-mail address, this can be done through either an email validation class, or if your not bothered about being 100% compliant a simple Regular Expression using preg_match. A simple search of either this sort or even google will give you 1000s of examples of how to validate an e-mail address.

Link to comment
Share on other sites
Cyberdave Member

Cyberdave

Posted
  • Author
Posted

You need to validate the variable that contains the e-mail they entered is an e-mail address, this can be done through either an email validation class, or if your not bothered about being 100% compliant a simple Regular Expression using preg_match. A simple search of either this sort or even google will give you 1000s of examples of how to validate an e-mail address.

 

Yes, I have tried a few of these, but I cannot get it to work. I am a newbie to PHP. I'm really sure what I am doing TBH.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.