Page 1 of 1
Validate Code
Posted: Sun Feb 12, 2006 3:03 pm
by cupaball
Some people in this forum was nice enough to fix my script. I have contact form in flash and I used a php script to send. The individuals who helped indicated that may script may be vunerable to spam. I was hoping to validate in flash also.
Can anyone help me prevent this script from being spammed?
Code: Select all
<?php
$sendTo = "mhaynes@blahblah.com";
$subject = "Website Reply";
$headers = "From: " . $_POST['name'] ." <" . $_POST['email'] .">\r\n";
$headers .= "Reply-To: " . $_POST['email'] . "\r\n";
$headers .= "Return-path: " . $_POST['email'] . "\r\n";
$message = $_POST['body'] . "\r\n Phone: " . $_POST['phone'];
mail($sendTo, $subject, $message, $headers);
?>
Posted: Sun Feb 12, 2006 3:17 pm
by Benjamin
Code: Select all
$headers = "From: " . $_POST['name'] ." <" . $_POST['email'] .">\r\n ";
Here is one way I could hack that...
I submit the following as the name variable: "Tina Davis <
tina@davis.com>\r\nBCC:"
And the following as the email variable:
fake@address.com>\r\nCC:
email1@email.com,
email2@email.com,
email3@email.com,
email4@email.com,
email5@email.com\r\n
And the header line ends up looking like this:
The trailing > would ignored by most mail servers. Which would allow me to send my message to an unlimited number of people, from YOUR server.
Posted: Sun Feb 12, 2006 4:05 pm
by matthijs
Check this thread
viewtopic.php?t=42190 about email injection. My personal conclusion was 1) validate all data the best you can 2) as a defense in depth measure use the ctype_print() function to check for any newlines.
Posted: Mon Feb 13, 2006 7:04 pm
by cupaball
Thanks for the help. I will read the post and articles.
Can anyone fix my script to prevent this.
I am still kinda learning this php thing.
Posted: Tue Feb 14, 2006 2:58 am
by matthijs
It's really worth it to study/learn more about input validation in general and the emailinjection specifically. Search for "input validation" on the security forum, check the regex tutorials in the regex forum, read some tutorials and articles about the subject (for example
http://phpsec.org/projects/guide/, etc. Here's my attempt to "secure" your contact form:
Code: Select all
<?php
if (isset($_POST['submit'])) {
$clean = array();
// validate email with basic pattern
// from PHP architect jan 2006
$email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
if (preg_match($email_pattern, $_POST['email']))
{
$clean['email'] = $_POST['email'];
}
// validate strings
// from PHP architect september 2005
$string_pattern = '/^[-A-Z0-9\.\'"_ ]*$/i';
if (preg_match($string_pattern, $_POST['name']))
{
$clean['name'] = $_POST['name'];
}
/*
add validation for the other fields body and phone, like above ...
you can also check for input length of the fields
*/
// inspect the data specifically for newlines and carriage returns
// maybe too much according to some but as a defense in depth cannot harm
// http://forums.devnetwork.net/viewtopic.php?t=42190
if (ctype_print($clean['email']) && ctype_print($clean['name'] ))
{
/* The email seems valid and contains no newlines or carriage returns. */
echo 'All data is clean!!';
/* or to mail uncomment following
$sendTo = "mhaynes@blahblah.com";
$subject = "Website Reply";
$headers = "From: " . $clean['name'] ." <" . $clean['email'] .">\r\n";
$headers .= "Reply-To: " . $clean['email'] . "\r\n";
$headers .= "Return-path: " . $clean['email'] . "\r\n";
$message = $clean['body'] . "\r\n Phone: " . $clean['phone'];
mail($sendTo, $subject, $message, $headers);
*/
}
else
{
echo 'Bad data';
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled</title>
</head>
<body>
<form action="contact.php" method="post">
Name: <input type="text" name="name" value="<?php echo (isset($_POST['name'])) ? htmlentities($_POST['name']) : ""; ?>"><BR>
Email: <input type="text" name="email" value="<?php echo (isset($_POST['email'])) ? htmlentities($_POST['email']) : ""; ?>"><BR>
Comments:<BR>
<textarea name="body"><?php echo (isset($_POST['body'])) ? htmlentities($_POST['body']) : ""; ?></textarea><BR>
<input type="submit" value="Submit" name="submit">
</form>
</body>
</html>
but please try to study the subject yourself. Nothing is as insecure as trusting some answer on some forum by someone who could have made a silly mistake ... (ahum, that's my disclaimer
