rob31 Posted July 2, 2015 Share Posted July 2, 2015 Hi, I really don't know much about php code and need help. Could you tell me what I need to add to this email form php code to stop spammers from email header injection? My hosting account recently was sending spam emails that I did not send and I thought this might be the problem. Thanks. Here is what I have now: <?php$to = "email@mydomain.com";$subject = "Pottery Question";$email = $_REQUEST['email'] ;$name = $_REQUEST['name'] ;$questions = $_REQUEST['questions'] ;$spam = $_REQUEST['spamcheck'] ;{if ($spam == 4){$message .= "Name: \n";$message .= $name;$message .= "\n";$message .= "\n";$message .= "Email: \n";$message .= $email;$message .= "\n";$message .= "\n";$message .= "Questions: \n";$message .= $questions; $headers = "From: $email";$sent = mail($to, $subject, $message, $headers) ;if($sent){print "Your message was sent successfully"; }else{print "We encountered an error sending your mail"; }}else {header( "Location: http://www.go.away" ); die();} }?> Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2015 Share Posted July 2, 2015 $headers = "From: $email";You're not validating or sanitizing $email, so attackers can inject anything they want into the headers. You need to validate $email so that it can only contain a single, valid email address and nothing more. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted July 2, 2015 Share Posted July 2, 2015 For what it's worth, PHP has a built-in email validator. See Example 1 here: http://php.net/manual/en/filter.examples.validation.php Quote Link to comment Share on other sites More sharing options...
CroNiX Posted July 2, 2015 Share Posted July 2, 2015 The FROM header should be sending from an account on YOUR domain, not what the user filled out on a form. If your domain is xyz.com, then email needs to come FROM some-user@xyz.com. I'd suspect that is the reason for the "spam". Most email servers will flag email as spam if they are not coming from the originating domain that the mail server is using. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2015 Share Posted July 2, 2015 The FROM header should be sending from an account on YOUR domain, not what the user filled out on a form. If your domain is xyz.com, then email needs to come FROM some-user@xyz.com. I'd suspect that is the reason for the "spam". Most email servers will flag email as spam if they are not coming from the originating domain that the mail server is using. Good point. I think you could use a Reply-To header for that instead of From, to avoid spam filters. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.