Jump to content

getting a handle on mail() security

tryingtolearn

By tryingtolearn
in PHP Coding Help

 Share

Recommended Posts

tryingtolearn Regular Member

tryingtolearn

Posted
Posted

Im trying to figure out if my bases are covered

Here is the scenario:

There is an html form on 1 site that points to a processing form on another site.

It has  name, and email text fields and a comments text box passed via POST.

 

The processing form

takes each of the variables passed to it like this

trim(strip_tags(stripslashes($_POST['var'])))

 

the mail script has the to address hardcoded into it.

 

Is it still vunerable to header injection?

I guess Im trying to grasp how the info is going to get from the form to the header in this manner.

Thanks for any input.

 

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/186853-getting-a-handle-on-mail-security/
Share on other sites
cags Member

cags

Posted
Posted

Depends on the server settings on the site. If the values have been escaped due to magic_quotes settings, the stripslashes would only strip the escape slashes leaving any \r\n characters in place still. It also very much depends what the script does with the values. Personally I'd recommend htmlentities over strip_tags as it leaves the content in tact.

cags Member

cags

Posted
Posted

As I said it depends on what exactly your doing with the variables and also on the server settings. If for example your talking about the main 'body' of the message (ie the $message/3rd parameter) you don't want to remove \r\n characters because that would prevent the user from actually applying any newline characters in the message they are sending which could lead to a right mess. But obviously this depends what type of mail it's sending, if all your form does is send details about a person via e-mail then you perhaps don't want need that as you will have a predefined layout. If however it is a feedback form, allowing long messages without newline characters would make it very hard to read.

 

If the variable is being put into a header though such as..

 

$headers .= "From: $var\r\n";
// or
$headers .= "Reply-To: $var\r\n";

Then it's important that $var doesn't contain \r\n characters since this would allow somebody to submit "bob@tbuilder\r\nCC:[email protected],[email protected]" etc.

 

tryingtolearn Regular Member

tryingtolearn

Posted
  • Author
Posted

I guess thats the skinny of my question.

 

So if you have a set up like this

...


if (preg_match('/^[[:alnum:]][a-z0-9_\.\-]*@[a-z0-9\.\-]+\.[a-z]{2,4}$/i', trim(htmlentities(stripslashes($_POST['email']))))) {
	$e = strip_tags($_POST['email']);
	} else {
	$e = FALSE;
	echo '<p class="error">Please enter a valid email address!</p>';
	}


...
$message = "NAME-$fn $ln \r\n";
$message .= "EMAIL - $e \r\n";
$message .= "STATE/ZIPCODE - $st $zc \r\n";
$message .= "DESCRIPTION - $sanscript";	

mail('[email protected], 'mySubject', $message)

 

is it vulnerable through the $ message var?

 

Sorry if Im seeming a bit dense on this but I guess Im not seeing how this is a vulnerability but I have been told that it is.

cags Member

cags

Posted
Posted

Providing the values are being inserted into $message and you have some form of protection against XSS (strip_tags, htmlentities etc.) I don't see in what way it is vulnerable. I could be wrong, but I don't see anything that can be exploited.

cags Member

cags

Posted
Posted

HTML emails suck anyway. I hate when people send me that.

Technically speaking I don't think the OP actually specified it was a HTML e-mail. I have to say I disagree though, having clickable links in emails (at least ones you want to receive) can be useful.

Daniel0 Advanced Member

Daniel0

Posted
Posted

HTML emails suck anyway. I hate when people send me that.

Technically speaking I don't think the OP actually specified it was a HTML e-mail. I have to say I disagree though, having clickable links in emails (at least ones you want to receive) can be useful.

 

That's why you would use a proper email client that makes links clickable. Kind of like I don't have to put URL tags around this: http://www.phpfreaks.com

 

You'll also find that many mailing lists' guidelines prohibit HTML email as well. All of PHP's mailing lists do for instance.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.