str_replace not working

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

str_replace not working

Post by andym01480 »

Done some code for someone and used the following to clean input (with more added rude words).

Code: Select all

//$naughtybits is all the stuff you don't want appearing in an email
$naughtybits=array('\\','+',';','\n','\r','%0A','Content-Type:','MIME-Version:','Content-Transfer-Encoding:','bcc:','cc:','crap');

//Grab form data and clean
$yourname=str_replace($naughtybits,'',$_POST['yourname']);

It works fine on my home XXAMP setup (5.1.1) and on my hosts server (4.4.1), but the person I did it for says it doesn't work on their setup.

I've checked the php manual & looked in phpinfo on my setups but can't see any reason why it wouldn't work. Any ideas?
And have I missed any naughtybits that could be used for email injection or sql injection for that matter?
User avatar
wtf
Forum Contributor
Posts: 331
Joined: Thu Nov 03, 2005 5:27 pm

Post by wtf »

escape characters will not work with single quotes i think
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

Mmmm. Surely the single quotes means that the \\ is treated as \\ rather than an escaped \?

Just tried

Code: Select all

$yourname="\\escaped\n\rcrap stripped out";
//$naughtybits is all the stuff you don't want appearing in an email 
$naughtybits=array('\\','+',';','\n','\r','%0A','Content-Type:','MIME-Version:','Content-Transfer-Encoding:','bcc:','cc:','crap'); 

//Grab form data and clean 
$yourname=str_replace($naughtybits,'',$yourname);

echo $yourname;
which outputted

Code: Select all

escaped stripped out
Help! Why does it work on my servers and not on someone elses?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

double-backslash in a single quote string is an escaped backslash, just like the test string you are using has an escaped backslash leading it.
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

So are you saying that it's not working on my setup either? It's late and now I'm confused. (This thread should probably be in PHP-Security.)

The bottom line is - am I deluded into thinking I have protected myself from email injection with that code snippet? If so how can it be improved?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I believe in single quotes that only '\\' and '\'' work for escaping, so you need to do "\n" and "\r".
(#10850)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

aborint is correct. i recently ran into the same problem. can speak from experience =]
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I second the motion...
User avatar
dibyendrah
Forum Contributor
Posts: 491
Joined: Wed Oct 19, 2005 5:14 am
Location: Nepal
Contact:

Post by dibyendrah »

Couldn't figure out what is the problem in this thread :roll:
Any code sample will clear the solution rather than just a comment I guess !

Dibyendra
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

I'm back!

What would strip out an email injection attempt then please?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

What do you mean by 'email injection attempt'?
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

Sorry for the obviously not great question!

I thought that "email injection" refered to when a form user added email headers to a form input for a field like email address. Thus using a form to send spam.

From what i understand something like

Code: Select all

a@b.co.uk \r\n cc: b@b.co.uk
would mean that the send email address was injected by the form user

I was trying to crack the problem by str_replace. Got it stripping out naughties like \r, \n %0A, %0D, cc:,bcc: etc but then found an email using mail() would fail to send the stripped result anyway

Code: Select all

a@b.co.uk b@b.co.uk
I have googled and searched the regex section of this excellent site and found
http://www.iamcal.com/publish/articles/ ... ing_email/ which checks that a valid email address was entered, so I am going to code the form process to reject input that isn't a valid email.

If other form fields make up the body of an email sent when processed are they they in danger of having header type stuff added?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Just check for illegal characters, error, tell the user to spam someone else (with an XHTML 1.0 compliant page of course) et voila!

What you are doing is "fixing" corrupt user input. It's a bad practice since it allows the possibility of someone evading your filtering logic. Don't do this. Just check if the data is valid or not. If not, make the user fix it - it's their request and their responsibility. If they insist on passing you bad data, record their details and ban their IP for a set period. You can also add a forced delay between all requests to the form from the same IP or source - make their bot progress a torture should they use one...

Again, don't fix bad input.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

If you are expecting a single email address, regex the input field for a single email address compatibility. If it passes, you are golden. If it doesn't, error the script out and send the user a message. I like Maugrim's way of putting it...
Maugrim_The_Reaper wrote:tell the user to spam someone else (with an XHTML 1.0 compliant page of course)
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

Thanks! Am implementing advice!

The other form fields get put into a table that makes up the variable of $body It's an html formatted email.

Code: Select all

mail($email,$subject,$body,$headers);
If headers were placed in $body are they ignored by the function?
Post Reply