Posted by Curtis on 01/14/07 21:30

True enough, I guess if anyone's using your script and sending CRLFs,
they probably don't have any intention of sending anything of value,
lol.

Anyway, in case anyone wants to check for CRLF without regex, it's not
too hard:

<?php
if ( strpos($header, "\r") !== false || strpos($header, "\n") !==
false ) {
// mail header injection attempt
}
?>

On Jan 13, 5:56 am, "Rik" <luiheidsgoe...@hotmail.com> wrote:
> Curtis wrote:
> > Chuck Anderson wrote:
> > <snip>
> >> I post the form to send_the_email_contact.php where I have the
> >> following test:
>
> >> if(preg_match('`[\r\n]`',$_POST['subject']))
> >> {
> >> exit ('injection attempt ');
>
> >> }
> > <snip>
>
> > You don't necessarily have to stop processing when validating mail
> > headers. You can easily strip out any CRLFsYou don't HAVE to. However, when something that will end up in a header
> contains a CRLF when it shouldn't, I'd opt for not sending the mail at all.
> It shouldn't be possible, so either there's something wrong with my code or
> someone has sent faulty and potentially harmfull information. Either way,
> the mail should not be sent.
> --
> Rik Wasmus

[Back to original message]