rob31 Posted July 2, 2015 Share Posted July 2, 2015 Hi, I really don't know much about php code and need help. Could you tell me what I need to add to this email form php code to stop spammers from email header injection? My hosting account recently was sending spam emails that I did not send and I thought this might be the problem. Thanks. Here is what I have now: <?php$to = "[email protected]";$subject = "Pottery Question";$email = $_REQUEST['email'] ;$name = $_REQUEST['name'] ;$questions = $_REQUEST['questions'] ;$spam = $_REQUEST['spamcheck'] ;{if ($spam == 4){$message .= "Name: \n";$message .= $name;$message .= "\n";$message .= "\n";$message .= "Email: \n";$message .= $email;$message .= "\n";$message .= "\n";$message .= "Questions: \n";$message .= $questions; $headers = "From: $email";$sent = mail($to, $subject, $message, $headers) ;if($sent){print "Your message was sent successfully"; }else{print "We encountered an error sending your mail"; }}else {header( "Location: http://www.go.away" ); die();} }?> Link to comment https://forums.phpfreaks.com/topic/297153-need-help-with-preventing-email-injection/ Share on other sites More sharing options...
scootstah Posted July 2, 2015 Share Posted July 2, 2015 $headers = "From: $email";You're not validating or sanitizing $email, so attackers can inject anything they want into the headers. You need to validate $email so that it can only contain a single, valid email address and nothing more. Link to comment https://forums.phpfreaks.com/topic/297153-need-help-with-preventing-email-injection/#findComment-1515475 Share on other sites More sharing options...
cyberRobot Posted July 2, 2015 Share Posted July 2, 2015 For what it's worth, PHP has a built-in email validator. See Example 1 here: http://php.net/manual/en/filter.examples.validation.php Link to comment https://forums.phpfreaks.com/topic/297153-need-help-with-preventing-email-injection/#findComment-1515478 Share on other sites More sharing options...
CroNiX Posted July 2, 2015 Share Posted July 2, 2015 The FROM header should be sending from an account on YOUR domain, not what the user filled out on a form. If your domain is xyz.com, then email needs to come FROM [email protected]. I'd suspect that is the reason for the "spam". Most email servers will flag email as spam if they are not coming from the originating domain that the mail server is using. Link to comment https://forums.phpfreaks.com/topic/297153-need-help-with-preventing-email-injection/#findComment-1515480 Share on other sites More sharing options...
scootstah Posted July 2, 2015 Share Posted July 2, 2015 The FROM header should be sending from an account on YOUR domain, not what the user filled out on a form. If your domain is xyz.com, then email needs to come FROM [email protected]. I'd suspect that is the reason for the "spam". Most email servers will flag email as spam if they are not coming from the originating domain that the mail server is using. Good point. I think you could use a Reply-To header for that instead of From, to avoid spam filters. Link to comment https://forums.phpfreaks.com/topic/297153-need-help-with-preventing-email-injection/#findComment-1515482 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.