So my questions, about this script, to you seasoned coders are...So How to I Protect Against Email Header Injection Attacks?
Thankfully, protecting yourself is quite easy - probably the easiest way is for you to check the vulnerable fields for illegal content on receipt by your processing script. My approach was to write a simple function using a regular expression, thus:
All you have to do to check the vulnerable fields is include the function and call it for each one:Code: Select all
<?php function spamcheck($spammed_field) { $spammed_field=strtolower($spammed_field); if((eregi("cc: ",$spammed_field))||(eregi("subject: ",$spammed_field))) { $spamhost=$_SERVER['REMOTE_HOST']; $spamrefr=$_SERVER['HTTP_REFERER']; $spamaddr=$_SERVER['HTTP_X_FORWARDED_FOR']; if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['HTTP_CLIENT_IP']; } if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['REMOTE_ADDR']; } $thisfile=$_SERVER['SCRIPT_NAME']; $spamtext="FILE: $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST: $spamhost \nINFO:\n$spammed_field\n"; mail("spamcheck@domain.tld","ALERT: $spamaddr",$spamtext,"From: SpamCheck <spamcheck@domain.tld>\r\n"); die(); } } ?>
If either 'Cc:', 'Bcc:' or 'Subject:' is found somewhere it shouldn't be, the script generates an email containing the name of the script and the spammer's IP address, sends it to spamcheck@domain.tld and promptly dies.Code: Select all
include('spamcheck.php'); spamcheck($name); spamcheck($email);
When I include a call to spamcheck.php in a page, and call the function to check the input on for example spamcheck($name) in a form, how does the $spammed_field in the spamcheck.php function know that $name is the $spammed_field .... I am not fluent in PHP... does the spamcheck function know that the $spammed_field is $name or would we have to specify before calling spamcheck.php that $spammed_field == $name then call spamcheck($spammed_field) ?
So basically my question is can the above spamcheck.php code be used as is by simply modifying to the exact field names of our form we want to have checked out for email injection BCC's etc, ....in this code...
Code: Select all
include('spamcheck.php');
spamcheck($name);
spamcheck($email);So my question is ultimately : is PHP intelligent enough to know when I call spamcheck.php that the $spammed_field is always the spamcheck($xyzfield) ??
Thanks for your help !
rgmis
PS: Also... as a second question what are your thoughts about the capacity of this code to seriously help prevent email injection ?