How to Prevent Email Injection in Your PHP Form to Mail Scripts
by Christopher Heng, thesitewizard.comNowadays, many websites no longer post their webmasters' email addresses, preferring instead to put up a contact or feedback form. Without the plethora of email addresses to harvest from websites, spammers have turned to using such feedback form scripts to send spam instead. If you are writing your own feedback form script, it is important that you write your script in such a way so as to prevent spammers from hijacking the script to spam others.
How Does Email Form Hijacking Work?
A PHP script that sends email, as mentioned in my PHP tutorial, typically calls on the mail() function to deliver the email. For example, the code for such a script might look like the following.
mail( "yourname@example.com", "Feedback Form Results", $message, "From: $email" );
The code above sends the message to yourname@example.com, which is presumably the webmaster's address. The sender's address is set to the information contained in the $email variable, which is typically obtained from the web form.
If the script takes no effort to sanitize the $email variable before calling mail(), it is possible for a spammer to inject additional headers into the email messages by placing lines like the following into the $email variable.
some-email-address@example.com CC: another-email-address@example.com, yet-another-email-addresses@example.com, etc-etc@example.com
The PHP mail() function will dumbly insert those lines into the header of the email message, and pass it along to the mail transport agent, which in turns delivers the mail to everyone on that list. Your script has thus been hijacked to do the spammer's bidding.
How to Avoid Email Injection and Mail Form Script Hijacking
To prevent email injection of the form given above, it is important that you check the information you receive from the $email variable.
There are many ways you can look out for attempts to insert email headers into your scripts. The PHP script generated by thesitewizard.com's Feedback Form Script Wizard does it this way:
if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
[... direct user to an error page and quit ...]
}
$name contains the visitor's name, and $email holds the visitor's email address. A function called ereg() is called to find out if the contents of those two variables include the new line characters. New line characters, like the carriage return ("\r" in PHP) and line feed ("\n" in PHP), create a new line in the email headers, which allows the formation of a new "cc:" line. If the code above detects that there are new line characters, the user is directed to an error page.
Conclusion
Avoid this security hole in your PHP scripts that send mail by making sure that everything that goes into the email headers generated by your script is checked for potentially problematic characters like the above. Otherwise, your script might inadvertantly be abused to send spam to others without your knowing.
Copyright © 2007 by Christopher Heng. All rights reserved.
Get more free tips and articles like this,
on web design, promotion, revenue and scripting, from http://www.thesitewizard.com/.
If you find this article useful, please consider making a donation.
thesitewizard™ News Feed (RSS Site Feed)
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at http://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
Please Do Not Reprint This Article
This article is copyrighted. Please do not reproduce this article in whole or part, in any form, without obtaining my written permission.
Related Pages
- How to Install and Configure PHP 5 to Run with Apache on Windows - test your scripts on your own machine
- Is Your Website Design Driving Away Your Customers? Some Basic Usability Tips for Commercial Websites
- 6 Things to Note Before Changing Your Site Design
- Appearance, Usability and Search Engine Visibility in Web Design
- How to Create a Search Engine Friendly Website
- Tips on Choosing a Good Domain Name
- Which Web Host Do You Recommend? (FAQ)
- Free Customized CSS Navigation Menu Bar Buttons (Wizard)
New Pages
- How to Use the Frame Blocking Facility (Anti-Clickjacking Defence) in Internet Explorer 8
- How to Add a CAPTCHA Test to Your Feedback Form Script: Reducing Spam in Your Contact Form
- How to Point a Domain Name to Your Website (Or What to Do After Buying Your Domain Name)
- What Does It Mean to Park a Domain Name? Domain Name Parking Explained
- How to Add Images to Your Website in Serif WebPlus X2
- Serif WebPlus X2 Tutorial: How to Design Your Website with Serif WebPlus X2
- Is it Possible to Use Microsoft Word or Office to Create a Website? If So, How?
- How to Transfer / Move Your Website from GeoCities: Closure of GeoCities' Free Web Hosting
- How to Upload and Link to a PDF File (or PDF Ebook) in KompoZer and Nvu
- What is HTML, CSS, JavaScript, PHP and Perl? Do I Need to Learn Them to Create a Website?
Popular Pages
- How to Make / Create Your Own Website: The Beginner's A-Z Guide
- Tips on Choosing a Good Domain Name
- How to Create a Search Engine Friendly Website
- How to Create a Website with Dreamweaver CS4 (Dreamweaver Tutorial)
- How to Design and Publish Your Website with KompoZer (free WYSIWYG web editor)
- Free Customized Feedback Form Wizard (PHP / Perl Script)
How to Link to This Page
It will appear on your page as:
How to Prevent Email Injection in Your PHP Form-to-Mail Scripts
thesitewizard™, thefreecountry™ and HowToHaven™ are trademarks of Christopher Heng.
Last updated: 7 September 2008.
