|
|
Posted by Chuck Anderson on 01/12/07 03:49
I am trying to implement email injection protection by looking for \r
and/or \n in the name, subject, or email address fields from my contact form
The first script, contact_us.php, contains a form with text fields for
name, subject, and emailaddr (the sender's email address) The message
(body of the email) is a textarea.
I post the form to send_the_email_contact.php where I have the following
test:
if(preg_match('`[\r\n]`',$_POST['subject']))
{
exit ('injection attempt ');
}
To test this, when I fill in the form, I type "This is the subject\r\n"
in the subject field.
When I click on submit and enter send_the_email_contact.php it does not
catch the \r\n. I have checked and preg_match returns a 0.
Why doesn't this test work?
----------------------------------
To make it even simpler, I have created a test script with this (inside
an html body):
<form id=form1 method=POST action="<?= $_SERVER['PHP_SELF'] ?>">
<input type=text name=subject value=<?= stripslashes($_POST['subject']) ?>>
<input type=submit name=send value="Send Mail">
</form>
<?
if ($_POST['send'] == 'Send Mail')
{
echo "subject = {$_POST['subject']}<br>";
echo "subject_match = " . preg_match("/[\r\n]/", $_POST['subject']);
}
?>
If I enter "subject\r\n" in the text field and click "Send Mail" the
output is:
subject = subject\\r\\n
subject_match = 0
...... I don't get it?! Shouldn't that be a match?
--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*****************************
Navigation:
[Reply to this message]
|