Jump to content

Email Form Header Injection

Go to solution Solved by SF23103,

Recommended Posts

I created a script that takes info in the url (script.php?id=123), compares that number (123) to a database and gets more information about that person (name, etc.).  The number also corresponds to their email address (123@domain.com).


The information is passed to an email script which is a contact form.  The contact form only sends the email to 123@domain.com and cannot be changed by the user.  The user can enter their name, email, a subject, and the message.  The name and subject are converted into email headers and sent to 123@domain.com (from: the user submiited info).


My question is that although the user cannot change the to: address, can they still input code into the name, email, and subject fields to inject additional to: addresses?


If so, any suggestions on exsting code that could elimiate this threat?



Link to comment
Share on other sites

I don't know if I see where the problem lies.


The email address is retrieved from the database and then written into a variable. That variable is then used in the mail() function (or something equivalent). If the user cannot modify that variable they can't send it to multiple emails correct?


If they try to append multiple numbers in the URL the database won't return a match (eg. it will match "123" but not "123,456").


So as long as the number going in is clean (mysql escape?) it should be fine.


Did I miss something?

Link to comment
Share on other sites

As monkeypaw201 suggested, you'll want to sanitize the GET variable (id) before running the query. Since you're dealing with a number, you can make sure it's a number using ctype_digit():



If you don't sanitize the information, there's a potential for someone to tamper with your database.

Edited by cyberRobot
Link to comment
Share on other sites

  • Solution

Thanks for the replies.  I thought I was ok.. but I wanted to make sure I wasn't missing anything since I'm allowing the user to enter their (from) address and subject which go into the header.


I did write a section that verifies that the variable (id) is an integer.  If it is not, it spits out an error and does not perform the rest of the code.

Link to comment
Share on other sites

I just re-read your post and it sounds like you actually have a two-step process. The first process uses the ID number to grab the user's information from the database...which is likely to be fine. In the next step, however, they fill out a form to supply information to be included in the e-mail.


What does the following mean?


The contact form only sends the email to 123@domain.com and cannot be changed by the user.


Is the e-mail address stored in a hidden field, disabled field, or something else? It might be helpful to see the code for the form. Note that any information being passed through a form (even the disabled/hidden ones) can be modified.


Also, it sounds like the form allows visitors to type in an address in the form...and it sounds like this address is being used in the headers argument. Are you using PHP's mail() function. If so, the "additional_headers" argument allows addresses to be added as Cc and Bcc. So the potential for someone to use the form for spam might be there.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.