Jump to content

Recommended Posts

Hi, I really don't know much about php code and need help. Could you tell me what I need to add to this email form php code to stop spammers from email header injection? My hosting account recently was sending spam emails that I did not send and I thought this might be the problem. Thanks.

 

Here is what I have now:

 

 

<?php

$to = "email@mydomain.com";
$subject = "Pottery Question";
$email = $_REQUEST['email'] ;
$name = $_REQUEST['name'] ;
$questions = $_REQUEST['questions'] ;
$spam = $_REQUEST['spamcheck'] ;

{
if ($spam == 4){

$message .= "Name: \n";
$message .= $name;
$message .= "\n";
$message .= "\n";
$message .= "Email: \n";
$message .= $email;
$message .= "\n";
$message .= "\n";
$message .= "Questions: \n";
$message .= $questions;  

$headers = "From: $email";
$sent = mail($to, $subject, $message, $headers) ;
if($sent)
{print "Your message was sent successfully"; }
else
{print "We encountered an error sending your mail"; }
}

else {header( "Location: http://www.go.away" ); die();}
}

?>

$headers = "From: $email";
You're not validating or sanitizing $email, so attackers can inject anything they want into the headers. You need to validate $email so that it can only contain a single, valid email address and nothing more.

The FROM header should be sending from an account on YOUR domain, not what the user filled out on a form.

 

If your domain is xyz.com, then email needs to come FROM some-user@xyz.com. I'd suspect that is the reason for the "spam". Most email servers will flag email as spam if they are not coming from the originating domain that the mail server is using.

The FROM header should be sending from an account on YOUR domain, not what the user filled out on a form.

 

If your domain is xyz.com, then email needs to come FROM some-user@xyz.com. I'd suspect that is the reason for the "spam". Most email servers will flag email as spam if they are not coming from the originating domain that the mail server is using.

Good point. I think you could use a Reply-To header for that instead of From, to avoid spam filters.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.