Posted: Wed Oct 25, 2006 12:22 am
That regex is certainly not a bad one. I can't imagine it lets the spam go through, that would make the regex kind of too loose wouldn't it?
But it can be tested of course. Using the examples on http://www.securephpwiki.com/index.php/Email_Injection you could set up a simple test (like I did before in that older thread).
It is indeed possible that the emails you recieve are just the tests. When the email injection started last year, half of my sites got tested during a few weeks. (I wrote the script in a way that I got an email if an attempt was made). But I'm no expert on email so maybe someone else can say more about this. You could also ask your host if it's possible to see any log files on email activity. In case your form is really vulnerable, there can be hundreds or thousands of mails being sent, so that should be visible.
More in general, I would write your script in a way that you specifically start by suspecting all input and an empty array for the clean data (the way I did in my example, an approach I learned from Shiflett). And then only put data in the clean array after making sure it's valid. I personally like that approach because it's too easy to forget one variable. Certainly because your host has register globals on it's easy to overwrite any variables.
But it can be tested of course. Using the examples on http://www.securephpwiki.com/index.php/Email_Injection you could set up a simple test (like I did before in that older thread).
It is indeed possible that the emails you recieve are just the tests. When the email injection started last year, half of my sites got tested during a few weeks. (I wrote the script in a way that I got an email if an attempt was made). But I'm no expert on email so maybe someone else can say more about this. You could also ask your host if it's possible to see any log files on email activity. In case your form is really vulnerable, there can be hundreds or thousands of mails being sent, so that should be visible.
More in general, I would write your script in a way that you specifically start by suspecting all input and an empty array for the clean data (the way I did in my example, an approach I learned from Shiflett). And then only put data in the clean array after making sure it's valid. I personally like that approach because it's too easy to forget one variable. Certainly because your host has register globals on it's easy to overwrite any variables.