mega77 Posted December 15, 2007 Share Posted December 15, 2007 I have read various tutorials on email injection and would like to know if this code is secure. if(!isset($_SERVER['HTTP_USER_AGENT'])){ exit; } $note = $_REQUEST["note"]; $message .= "$note\n"; $message .= "message input\n"; $message .= "message input\n"; $message .= "message input\n"; $headers .= "MIME-Version: 1.0\n"; $headers .= "Content-Type: text/plain; charset=\"UTF-8\"\n"; $headers .= "Content-Transfer-Encoding: 7bit\n"; $headers .= "From: myemail@mydomain.com>\n"; if((eregi("Cc", $headers)) || (eregi("Bcc", $headers))){ mail("myemail@mydomain.com", "Somebody tried to Inject", $message, "From: myemail@mydomain.com"); exit; } mail("myemail@mydomain.com", "Message subject written here", $message, $headers); Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted December 15, 2007 Share Posted December 15, 2007 No it is not. You're checking for stuff in the $headers variable, but that variable does not contain any values coming from the outside. You need to check all fields passed to your script that would go into the mail message for "CC", "BCC", and "Content-type" and some other characters. If you haven't read this article from the NYphp.org web site, you should. BTW, don't use $_REQUEST, use either $_GET or $_POST depending on the method for your form. Ken Quote Link to comment Share on other sites More sharing options...
sureshp Posted December 15, 2007 Share Posted December 15, 2007 Better, you should use CAPTCHA in all the forms to avoid SPAM to some limits. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 15, 2007 Share Posted December 15, 2007 Everything that you can think of to do in the form, such as a CAPTCHA, starting a session on the form page that is checked in the form processing code, hidden fields that contain unique values, dummy invisible forms for bots to find... can be bypassed given enough effort or if a human is submitting the spam/header injection, they have no effect at all. The form processing code is the last line of defense. The validation it does of the values it receives is the most important step and having good validation code prevents the spamming completely, while everything you do in the form only filters out poorly written bot scripts or inconveniences your legitimate visitors. The well written bot scripts and live people are still able to submit to your form processing code, so it needs to do a good job of validating the input it receives and discarding spamming attempts. Quote Link to comment Share on other sites More sharing options...
rab Posted December 15, 2007 Share Posted December 15, 2007 $note = str_replace(array("\n", "\r", "%0a", "%0d"), "", $_REQUEST['note']); Quote Link to comment Share on other sites More sharing options...
mega77 Posted December 15, 2007 Author Share Posted December 15, 2007 Why not REQUEST ? I use it because my scripts use both POST and GET depending on what it is used for. I just use REQUEST so I am sure it will always work. bcc, cc, etc are supposed to be placed in the $headers right ? so why do I have to check it in $message ? Placing the following line in $note will only create a new line but it won't send any email... or does it ??? cc%0aspam@spammer.com Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.