PHP – Email Injection protection

A malicious spammer could use Email Injection to send large numbers of messages anonymously.

When a form is added to a Web page that submits data to a Web application, a malicious user may exploit the MIME format to append additional information to the message being sent, such as a new list of recipients or a completely different message body.

Because the MIME format uses a carriage return to delimit the information in a message, and only the raw message determines its eventual destination, adding carriage returns to submitted form data can allow a simple guestbook to be used to send thousands of messages at once.

The best way to stop e-mail injections is to validate the input.

HTML form:


<html>
<body>
<?php
function spamcheck($field)
  {
  // Sanitize e-mail address
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);
  // Validate e-mail address
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }
?>

<h2>Feedback Form</h2>
<?php
// display form if user has not clicked submit
if (!isset($_POST["submit"]))
  {
  ?>
  <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
  From: <input type="text" name="from"><br>
  Subject: <input type="text" name="subject"><br>
  Message: <textarea rows="10" cols="40" name="message"></textarea><br>
  <input type="submit" name="submit" value="Submit Feedback">
  </form>
  <?php 
  }
else
  // the user has submitted the form
  {
  // Check if the "from" input field is filled out
  if (isset($_POST["from"]))
    {
    // Check if "from" email address is valid
    $mailcheck = spamcheck($_POST["from"]);
    if ($mailcheck==FALSE)
      {
      echo "Invalid input";
      }
    else
      {
      $from = $_POST["from"]; // sender
      $subject = $_POST["subject"];
      $message = $_POST["message"];
      // message lines should not exceed 70 characters (PHP rule), so wrap it
      $message = wordwrap($message, 70);
      // send mail
      mail("webmaster@example.com",$subject,$message,"From: $from\n");
      echo "Thank you for sending us feedback";
      }
    }
  }
?>
</body>
</html>

How does it work?

1. Get the input data from the HTML form:

 <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
  From: <input type="text" name="from"><br>
  Subject: <input type="text" name="subject"><br>
  Message: <textarea rows="10" cols="40" name="message"></textarea><br>
  <input type="submit" name="submit" value="Submit Feedback">
 </form>

2. The php script send form data to itself:

<?php echo $_SERVER["PHP_SELF"];?>

3. Check if the “from” input field is filled out

if (isset($_POST["from"]))

4.Send the “from” value to the function spamcheck()

$mailcheck = spamcheck($_POST["from"]);

5. spamcheck() function:
a. The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
b. The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address
c. It wll return TRUE if it is all ok!

function spamcheck($field)
  {
  // Sanitize e-mail address
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);
  // Validate e-mail address
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
    {
    return TRUE;
    }
  else
    {
    return FALSE;
    }
  }

6. If it is FALSE It will print the message “Invalid input”

$mailcheck = spamcheck($_POST["from"]);
    if ($mailcheck==FALSE)
      {
      echo "Invalid input";
      }

7. If it is TRUE It will send the message and will print “Thank you for sending us feedback”

else
      {
      $from = $_POST["from"]; // sender
      $subject = $_POST["subject"];
      $message = $_POST["message"];
      // message lines should not exceed 70 characters (PHP rule), so wrap it
      $message = wordwrap($message, 70);
      // send mail
      mail("myemail@lucedigitale.com",$subject,$message,"From: $from\n");
      echo "Email sent successfully";
      }