Nowadays, many websites no longer post their webmasters' email addresses, preferring instead to put up a contact or feedback form. Without the plethora of email addresses to harvest from websites, spammers have turned to using such feedback form scripts to send spam instead. If you are writing your own feedback form script, it is important that you write your script in such a way so as to prevent spammers from hijacking the script to spam others.
A PHP script that sends email, as mentioned in my PHP tutorial, typically calls on the mail() function to deliver the email. For example, the code for such a script might look like the following.
The code above sends the message to
firstname.lastname@example.org, which is presumably the webmaster's address.
The sender's address is set to the information contained in the
If the script takes no effort to sanitize the
it is possible for a spammer to inject additional headers into the email messages by placing lines like the
following into the
mail() function will dumbly insert those lines into the header of the email message, and
pass it along to the mail transport agent, which in turns delivers the mail to everyone on that list. In this
way, your script will have been hijacked to do the spammer's bidding.
To prevent email injection of the form given above, it is important that you check the information you receive from the
There are many ways you can look out for attempts to insert email headers into your scripts. The PHP script generated by thesitewizard.com's Feedback Form Script Wizard does it this way:
$name contains the visitor's name, and $email holds the visitor's email address. A function called
preg_match() is called to find out if the contents of those two variables include the new line characters.
New line characters, like the carriage return ("\r" in PHP) and line feed ("\n" in PHP), create a new line in the
email headers, which allows the formation of a new "cc:" line. If the code above detects that there are new line
characters, the user is directed to an error page.
Avoid this security hole in your PHP scripts that send mail by making sure that everything that goes into the email headers generated by your script is checked for potentially problematic characters like the above. Otherwise, your script might be inadvertantly abused to send spam to others without your knowing.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at http://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce this article in whole or part, in any form, without obtaining my written permission.
It will appear on your page as: