Validate Code

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Validate Code

Post by cupaball »

Some people in this forum was nice enough to fix my script. I have contact form in flash and I used a php script to send. The individuals who helped indicated that may script may be vunerable to spam. I was hoping to validate in flash also.

Can anyone help me prevent this script from being spammed?

Code: Select all

<?php 
$sendTo = "mhaynes@blahblah.com"; 
$subject = "Website Reply"; 
$headers = "From: " . $_POST['name'] ." <" . $_POST['email'] .">\r\n"; 
$headers .= "Reply-To: " . $_POST['email'] . "\r\n"; 
$headers .= "Return-path: " . $_POST['email'] . "\r\n"; 
$message = $_POST['body'] . "\r\n  Phone: " . $_POST['phone']; 
mail($sendTo, $subject, $message, $headers); 
?>
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

$headers = "From: " . $_POST['name'] ." <" . $_POST['email'] .">\r\n ";
Here is one way I could hack that...

I submit the following as the name variable: "Tina Davis <tina@davis.com>\r\nBCC:"
And the following as the email variable: fake@address.com>\r\nCC: email1@email.com,email2@email.com,email3@email.com,email4@email.com,email5@email.com\r\n
And the header line ends up looking like this:
The trailing > would ignored by most mail servers. Which would allow me to send my message to an unlimited number of people, from YOUR server.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Check this thread viewtopic.php?t=42190 about email injection. My personal conclusion was 1) validate all data the best you can 2) as a defense in depth measure use the ctype_print() function to check for any newlines.
cupaball
Forum Commoner
Posts: 85
Joined: Sun Feb 12, 2006 1:46 pm

Post by cupaball »

Thanks for the help. I will read the post and articles.

Can anyone fix my script to prevent this.

I am still kinda learning this php thing.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

It's really worth it to study/learn more about input validation in general and the emailinjection specifically. Search for "input validation" on the security forum, check the regex tutorials in the regex forum, read some tutorials and articles about the subject (for example http://phpsec.org/projects/guide/, etc. Here's my attempt to "secure" your contact form:

Code: Select all

<?php 
if (isset($_POST['submit'])) {

$clean = array();

// validate email with basic pattern
// from PHP architect jan 2006
$email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
if (preg_match($email_pattern, $_POST['email']))
{
    $clean['email'] = $_POST['email'];
}

// validate strings
// from PHP architect september 2005
$string_pattern = '/^[-A-Z0-9\.\'"_ ]*$/i';
if (preg_match($string_pattern, $_POST['name']))
{
    $clean['name'] = $_POST['name'];
}

/* 
  add validation for the other fields body and phone, like above ...
  you can also check for input length of the fields
*/

// inspect the data specifically for newlines and carriage returns
// maybe too much according to some but as a defense in depth cannot harm
// http://forums.devnetwork.net/viewtopic.php?t=42190
if (ctype_print($clean['email']) && ctype_print($clean['name'] ))
{
    /* The email seems valid and contains no newlines or carriage returns. */
    echo 'All data is clean!!';
		/* or to mail uncomment following
		$sendTo = "mhaynes@blahblah.com"; 
    $subject = "Website Reply"; 
    $headers = "From: " . $clean['name'] ." <" . $clean['email'] .">\r\n"; 
    $headers .= "Reply-To: " . $clean['email'] . "\r\n"; 
    $headers .= "Return-path: " . $clean['email'] . "\r\n"; 
    $message = $clean['body'] . "\r\n  Phone: " . $clean['phone']; 
    mail($sendTo, $subject, $message, $headers);
		*/
		
		
}
else
{
   echo 'Bad data';
}


}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title>Untitled</title>
</head>
<body>
<form action="contact.php" method="post">
Name: <input type="text" name="name" value="<?php echo (isset($_POST['name'])) ? htmlentities($_POST['name']) : ""; ?>"><BR>
Email: <input type="text" name="email" value="<?php echo (isset($_POST['email'])) ? htmlentities($_POST['email']) : ""; ?>"><BR>
Comments:<BR>
<textarea name="body"><?php echo (isset($_POST['body'])) ? htmlentities($_POST['body']) : ""; ?></textarea><BR>
<input type="submit" value="Submit" name="submit">
</form>
</body>
</html>
but please try to study the subject yourself. Nothing is as insecure as trusting some answer on some forum by someone who could have made a silly mistake ... (ahum, that's my disclaimer :)
Post Reply