Posted by "Matt Stone" on 12/17/05 01:46

----- Original Message -----
From: "Shaun" <shaunthornburgh@hotmail.com>
To: <php-general@lists.php.net>
Sent: Friday, December 16, 2005 7:50 PM
Subject: [PHP] Blocking Values From an External Source


> Hi,
>
> I have a script on my site for processing values sent from a contact form
> and emailing them to the webmaster. The script has been abused by spammers
> and my hosting company has recommended that I change the script to only
> accept information posted from my own URL. Could someone tell me how this
> can be done please?
>

If your script is being abused through mail headers injection, making it
only accept information being posted from your own url won't work.
First set a max length in your "from e mail address" text box and validate
that. For example:

if (strlen($_POST['email']) > SOME_NUMBER ){
die ("E Mail Address Too Long");
}

Next, validate your e mail address to the rfc standard, there's a good
tutorial here: http://www.iamcal.com/publish/articles/php/parsing_email/

If you validate it using the function in the article your form will be
bulletproof as far as headers injection goes as the rfc standard does not
allow a '\' or ':' in the address. If you follow your isp's advice and still
allow invalid input from your form you're leaving yourself wide open to
header injection. For example someone can still input

myemail@somewhere.com\r\nBcc: a_big_list_of_addresses@whereveryouwant.com

into the from address field. Who needs a bot to post that info when a single
click on a form can see your script used to spam a stack of recipients? To
put it another way, is it worth validating the source of your input if
you're not going to validate the input itself?

HTH

Cheers
Matt

[Back to original message]