Well, I did some experiments and will summerize it a bit.
What I did was make a simple testscript:
Code: Select all
<?php
$headers = '';
if (isset($_GET['headers']))
{
$headers = $_GET['headers'];
echo 'Headers: ' . $headers . '<br> ';
if (!ctype_print($headers) )
{
echo '<p>Sorry, thats no good input!</p>';
}
if (!check_email_address($headers))
{
echo '<p>Sorry, thats no valid emailaddress!</p>';
}
}
?>
(in which check_email_address is the function from ilovejackdaniels)
I tested all the examples from the article
http://securephp.damonkohler.com/index. ... _Injection. Result: with every example both tests return negative (so they do catch the bad input).
In this case, $_GET['headers'] does not contain %0A. That's just the encoded representation of a newline in the context of a URL. Your code does not need to check for %0A. Doing so is useless.
Chris was right, if I look at the outputted source code from one of the examples, I get this:
Code: Select all
haxor@attack.com
Content-Type:multipart/mixed; boundary=frog;
--frog
Content-Type:text/html
So, it seems that I can confirm what Chris already said, that using ctype_print() can be used to check for an emailinjection attempt. Of course, it can be said that using a good validation function, like the ones from
ilovejackdaniels or
Roja will be good enough. But an extra check can't be bad I think, certainly as this PHP function is so easy to use.
Also, I can imagine that one could take different actions depending on what kind of invalid data is received. As a 'user' posts 'only' an invalid emailaddress, one could return a nice friendly message telling that the emailaddress is not valid. On the other hand, if automatic, repetitive emailinjection attempts are made, the ctype_print() will catch it and one could return a 404, notify the admin of an attempt, etc.