PHP – Email Injection protection
A malicious spammer could use Email Injection to send large numbers of messages anonymously.
When a form is added to a Web page that submits data to a Web application, a malicious user may exploit the MIME format to append additional information to the message being sent, such as a new list of recipients or a completely different message body.
Because the MIME format uses a carriage return to delimit the information in a message, and only the raw message determines its eventual destination, adding carriage returns to submitted form data can allow a simple guestbook to be used to send thousands of messages at once.
The best way to stop e-mail injections is to validate the input.
HTML form:
<html>
<body>
<?php
function spamcheck($field)
{
// Sanitize e-mail address
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
// Validate e-mail address
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
?>
<h2>Feedback Form</h2>
<?php
// display form if user has not clicked submit
if (!isset($_POST["submit"]))
{
?>
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
From: <input type="text" name="from"><br>
Subject: <input type="text" name="subject"><br>
Message: <textarea rows="10" cols="40" name="message"></textarea><br>
<input type="submit" name="submit" value="Submit Feedback">
</form>
<?php
}
else
// the user has submitted the form
{
// Check if the "from" input field is filled out
if (isset($_POST["from"]))
{
// Check if "from" email address is valid
$mailcheck = spamcheck($_POST["from"]);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{
$from = $_POST["from"]; // sender
$subject = $_POST["subject"];
$message = $_POST["message"];
// message lines should not exceed 70 characters (PHP rule), so wrap it
$message = wordwrap($message, 70);
// send mail
mail("webmaster@example.com",$subject,$message,"From: $from\n");
echo "Thank you for sending us feedback";
}
}
}
?>
</body>
</html>
How does it work?
1. Get the input data from the HTML form:
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> From: <input type="text" name="from"><br> Subject: <input type="text" name="subject"><br> Message: <textarea rows="10" cols="40" name="message"></textarea><br> <input type="submit" name="submit" value="Submit Feedback"> </form>
2. The php script send form data to itself:
<?php echo $_SERVER["PHP_SELF"];?>
3. Check if the “from” input field is filled out
if (isset($_POST["from"]))
4.Send the “from” value to the function spamcheck()
$mailcheck = spamcheck($_POST["from"]);
5. spamcheck() function:
a. The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
b. The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address
c. It wll return TRUE if it is all ok!
function spamcheck($field)
{
// Sanitize e-mail address
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
// Validate e-mail address
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
6. If it is FALSE It will print the message “Invalid input”
$mailcheck = spamcheck($_POST["from"]);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
7. If it is TRUE It will send the message and will print “Thank you for sending us feedback”
else
{
$from = $_POST["from"]; // sender
$subject = $_POST["subject"];
$message = $_POST["message"];
// message lines should not exceed 70 characters (PHP rule), so wrap it
$message = wordwrap($message, 70);
// send mail
mail("myemail@lucedigitale.com",$subject,$message,"From: $from\n");
echo "Email sent successfully";
}
