Posted by onembk on 08/29/06 05:14

On 2006-08-28 17:07:49 -0600, jwhitley31NOSPAM@colo.edu (J W) said:

> Hello,
>
> I am kind of a newb to php and could use some help. I have made a form
> to email php page that uses the mail function to send me the results of
> a form. The php portion looks like this:
>
> <?PHP
> if ($submit) {
> $Address = !empty($Address) ? $Address : 'NA';
> $Address2 = !empty($Address2) ? $Address2 : 'NA';
> $City = !empty($City) ? $City : 'NA';
> $State = !empty($State) ? $State : 'NA';
> $Country = !empty($Country) ? $Country : 'NA';
> $Postal = !empty($Postal) ? $Postal : 'NA';
> $Phone = !empty($Phone) ? $Phone : 'NA';
> $Company = !empty($Company) ? $Company : 'NA';
> $EmailNot = !empty($EmailNot) ? $EmailNot : 'NO';
> $today = date("m/d/y"); mail("me@mydomain.com",
> "Info on $Regarding",
> "A User has submitted a Contact form on Mydomain.com
> on $today
> ================================================
> Name: $FName $LName
> Email: $Email
> Address: $Address
> $Address2
> $City
> $State
> $Country
> $Postal
> Phone: $Phone
> Company: $Company
> Message: $Comment
> Referer: $Referer
> Opt-Out: $EmailNot",
> "From: $FName $LName <$Email>");
> header ("location: thanks.html");
> } // end if they hit "Submit"
> ?>
>
> Later on the page is the form itself (edited for brevity):
>
> <form name="contactinfo" method="post">
> (various input areas)
> </form>
>
> I know that as is this page isn't secure from a spammer exploiting it
> for their own purposes. Can someone help me clean it up to protect
> against that kind of thing? I believe the input data has to be
> validated / scrubbed or something? I've been googling and while I
> understand the concept I'm not quite getting how to do it within the
> framework of what I have already created,
>
> Thanks much.

You will need to verify that a hacker hasn't injected extra lines into
your To/CC/BCC/From/Subject fields. Looking at your code above I'd be
most concerned about the $Regarding variable as it could be used for
this. Here is a simple example:

if (stristr($Regarding, '\n') !== false || stristr($Regarding, '\r')
!== false || stristr($Regarding, "\n") !== false || stristr($Regarding,
"\r") !== false || stristr($Regarding, '%0A') !== false)
{die("hacker");}

Note '\r' is the string \r while "\r" is a carriage return, "\n" means
newline and '%0A' aslo creates a newline. If $Regarding was equal to
"spam subject%0ABcc: someoneselse@somewhereelse.com" I could send
someoneelse@somewhereelse.com some spam since everything after 'spam
subject' is on a separate line. Email protocols would see this as a
separate email header. This applies to any field a user has access to
other than the actual body of the email.

See http://www.w3schools.com/php/php_secure_mail.asp The example there
nicer than mine.

• Next in forum: Re: How to read (or adjust) a single entry of an object wich comes from an array
• Prev in forum: Re: help protecting form to email from spammers
• Thread view: Re: help protecting form to email from spammers

[Reply to this message]