is stripslashes causing the problem?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dru_nasty
Forum Commoner
Posts: 81
Joined: Sat Sep 10, 2005 10:26 am

is stripslashes causing the problem?

Post by dru_nasty »

I have a form to send html email. I've used this same code on another server and all works fine.
I fill out the form (with the ability to use html) and it sends to emails from a db.

I tried using it for another site on another server and the script echos the emails it was sent to, but the emails never go through. I'm only posting this little snippet since it's where I believe the problem to be. If otherwise, I can post the entire script.

Code: Select all

while ($row = mysql_fetch_array($result)) {
		set_time_limit(0);
		$email = $row['email'];
		mail("$email", stripslashes($_POST[subject]), stripslashes($_POST[message]), $headers);
		echo "newsletter sent to: $email<br>";
My guess is that it has something to do with the stripslashes in the mail() function.
I know this can cause issues with magic_quotes (which I'm not that familiar with, I'm still a newb).
So here is how the php is configured on this server if any of this matters:

magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off

Thanks!
User avatar
mattcooper
Forum Contributor
Posts: 210
Joined: Thu Mar 17, 2005 5:51 am
Location: London, UK

Post by mattcooper »

Try this...

Code: Select all

$subject=stripslashes($_POST['subject']);
$message=stripslashes($_POST['message']);

mail($email, $subject, $message, $headers);
Let me know how you go!
dru_nasty
Forum Commoner
Posts: 81
Joined: Sat Sep 10, 2005 10:26 am

Post by dru_nasty »

mattcooper wrote:Try this...

Code: Select all

$subject=stripslashes($_POST['subject']);
$message=stripslashes($_POST['message']);

mail($email, $subject, $message, $headers);
Let me know how you go!
That did the trick! Thanks :D

What would you say it was. The double quotes around email, or the no use of single quotes around the subject and message?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you have a great potential for helping spammers do their thing with this code.

viewtopic.php?t=44097 should be of great interest.
dru_nasty
Forum Commoner
Posts: 81
Joined: Sat Sep 10, 2005 10:26 am

Post by dru_nasty »

Here is the entire script. I checked out that thread and also did some more searching on the subject. Jeez, nothing is safe!
I gathered that there is no true way to stop spammers entirely, but there are a number of preventative measures that can be taken to lower the chance at being used.
Within my code, I'm not sure where to begin. I don't want to spend hours obsessing over security for this smalltime mailer, but I would like to lower the probability of being used.
Anyone have any ideas for this code:

Code: Select all

<?php
if ($_POST[op] != "send") {
	echo "
	<HTML>
	<HEAD>
	<TITLE>Send a Newsletter</TITLE>
	</HEAD>
	<BODY>
	<h1>Email Blast</h1>
	<form method=\"post\" action=\"$_SERVER[PHP_SELF]\">
	<P><strong>Subject:</strong><br>
	<input type=\"text\" name=\"subject\" size=30></p>
	<P><strong>Mail Body: (html emails can be sent)</strong><br>
	<textarea name=\"message\" cols=50 rows=10 wrap=virtual></textarea>
	<input type=\"hidden\" name=\"op\" value=\"send\">
	<p><input type=\"submit\" name=\"submit\" value=\"Send It\"></p>
	</FORM>
	</BODY>
	</HTML>";

} else if ($_POST[op] == "send") {
	if (($_POST[subject] =="") || ($_POST[message] == "")) {
		header("Location: send_mail.php");
		exit;
	}

	$conn = mysql_connect("host", "username", "password") or die(mysql_error());
	mysql_select_db("dbname",$conn)  or die(mysql_error());

	$sql = "select email from subscribers";
	$result = mysql_query($sql,$conn) or die(mysql_error());

	

	$headers = "MIME-Version: 1.0\r\n";
	$headers .= "Content-Type: text/html; charset=iso-8859-1\r\n";
	$headers .= "From: Newsletter <sales@domainname.com>\r\n";
		
              while ($row = mysql_fetch_array($result)) {
		set_time_limit(0);
		$email = $row['email'];
	       $subject=stripslashes($_POST['subject']);
		$message=stripslashes($_POST['message']);
		mail($email, $subject, $message, $headers);
	       echo "newsletter sent to: $email<br>";
	}
}
?>
User avatar
mattcooper
Forum Contributor
Posts: 210
Joined: Thu Mar 17, 2005 5:51 am
Location: London, UK

Post by mattcooper »

feyd wrote:you have a great potential for helping spammers do their thing with this code.
I fully take your point. However, that was not my intention (assuming, that is, that you directed that at me!) - being a victim of spam at the moment, I ought to have thought of it.

Cheers for pointing that out.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

dru_nasty, the most important issue is that spammers cannot misuse your script to send mail to others. With every form online you will recieve some spam. But that's not a problem, merely an annoyance for you.

But if your script is vulnerable to emailinjection (see the other 890 threads) your script will be used to send spammail to thousands of others, from your domain.

Not too long ago I had to do a cleanup on a domain from which a few thousand mails were sent ....

The weak point is in the $headers. If you include a $_POST['fromemail'] directly into that, it can be misused. Like this:

Code: Select all

$headers = "MIME-Version: 1.0\r\n";
    $headers .= "Content-Type: text/html; charset=iso-8859-1\r\n";
    $headers .= "From: Newsletter <$_POST['fromemail']>\r\n";
But in your case it looks ok, as you hardcoded the $headers.

But do read some more about it, as it is an important issue. Luckily not too hard to solve.

One other thing, $_SERVER["PHP_SELF"] can also be tainted. So hardcode that value as well or use htmlentities($_SERVER["PHP_SELF"] , ENT_QUOTES, 'UTF-8')
dru_nasty
Forum Commoner
Posts: 81
Joined: Sat Sep 10, 2005 10:26 am

Post by dru_nasty »

Thanks for all the input. I was unaware of the great amount of vulnerability. I'll def do some research on the matter to try and prevent it from happening. :)
Post Reply