I'm not sure if anybody can tell from that, but if you can, please let me know. Thanks!Name: village8395@paradisedirect.com village8395@paradisedirect.com Email Address: village8395@paradisedirect.com
Phone: village8395@paradisedirect.com
the
Content-Type: multipart/mixed; boundary=771ba16bb1e02712c7a1a18dc5e90b00
MIME-Version: 1.0
Subject: acquainted he will play you the hoemaker s ance
bcc: charieses329@aol.com
This is a multi-part message in MIME format.
--771ba16bb1e02712c7a1a18dc5e90b00
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
exists, as is here mentioned. ady ingleton had entered into conversation with a linen buyer, or, in the language of the country, a webber
--771ba16bb1e02712c7a1a18dc5e90b00--
.
Am I a victim of Form mail injection?
Moderator: General Moderators
Am I a victim of Form mail injection?
I am getting these emails from my online form and I cannot tell if I am being used by a spammer...
Code: Select all
<?php
function checkEmail($email) {
if (!preg_match("/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/", $email)) {
return false;
}
return true;
}
function MAIL_NVLP($fromname, $fromaddress, $toname, $toaddress, $subject, $message)
{
// Copyright ? 2005 ECRIA LLC, http://www.ECRIA.com
// Please use or modify for any purpose but leave this notice unchanged.
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\n";
$headers .= "X-Priority: 3\n";
$headers .= "X-MSMail-Priority: Normal\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: \"".$fromname."\" <".$fromaddress.">\n";
return mail($toaddress, $subject, $message, $headers);
}
class validateForm{
function validateForm($array){
$this->fname = $array['fname'];
$this->lname = $array['lname'];
$this->email = $array['email'];
$this->phone = $array['phone'];
$this->subject = $array['subject'];
$this->body = $array['body'];
switch($this->subject){
case "web design":
$this->recipient = "webdesigner@sierra-tech.com";
break;
case "web hosting":
$this->recipient = "webdesigner@sierra-tech.com";
break;
case "products":
$this->recipient = "marketing@sierra-tech.com";
break;
case "service":
$this->recipient = "bench@sierra-tech.com";
break;
case "ST systems":
$this->recipient = "bench@sierra-tech.com";
break;
case "training":
$this->recipient = "marketing@sierra-tech.com";
break;
case "cingular":
$this->recipient = "marketing@sierra-tech.com";
break;
case "technical":
$this->recipient = "bench@sierra-tech.com";
break;
default:
$this->recipient = "dean@paradisedirect.com";
}
}
function checkInfo(){
if(empty($this->fname)){
$errors['fname'] = "red";
}
if(empty($this->lname)){
$errors['lname'] = "red";
}
if(!empty($this->email)){
if(!checkEmail($this->email)){
$errors['email'] = "orange";
}
}
else{
$errors['email'] = "red";
}
if(empty($this->body)){
$errors['body'] = "red";
}
if(isset($errors)){
return $errors;
}
return false;
}
function mailInfo(){
$message = "Name: $this->fname $this->lname\nEmail Address: $this->email\nPhone: $this->phone\n\n$this->body";
$name = "$this->fname $this->lname";
if(MAIL_NVLP("$name", $this->email, "Sierra Tech", $this->recipient, "$this->subject - Sierra Tech Online Form", $message)){
header("Location: http://www.sierra-tech.com/contactus.php?sent=yes");
}
else{
header("Location: http://www.sierra-tech.com/contactus.php");
}
}
}
if($data = new validateForm($_POST)){
if($errors = $data->checkInfo()){
foreach($errors as $key => $val){
$urladd .= "$key=$val&";
}
foreach($_POST as $key => $val){
$urladd .= "p$key=$val&";
}
header("Location: http://www.sierra-tech.com/contactus.php?errors=yes&".$urladd);
}
else{
$data->mailInfo();
}
}
?>Check for any line feeds and carriage returns. See viewtopic.php?t=42190 for a thread with some example solutions and good links about the problem. I've had to deal with it last summer...
The simplest function is ctype_print()
or
See http://securephp.damonkohler.com/index. ... _Injection
The simplest function is ctype_print()
Code: Select all
if (!ctype_print($string) )
{
return false;
}Code: Select all
<?php
$from=$_POST["sender"];
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? ");
}
?>- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Does this look ok?
Code: Select all
<?php
function checkEmail($email) {
if (!preg_match("/^([0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*@([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,9})$/", $email)) {
return false;
}
return true;
}
function MAIL_NVLP($fromname, $fromaddress, $toname, $toaddress, $subject, $message)
{
// Copyright ? 2005 ECRIA LLC, http://www.ECRIA.com
// Please use or modify for any purpose but leave this notice unchanged.
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/plain; charset=iso-8859-1\n";
$headers .= "X-Priority: 3\n";
$headers .= "X-MSMail-Priority: Normal\n";
$headers .= "X-Mailer: php\n";
$headers .= "From: \"".$fromname."\" <".$fromaddress.">\n";
return mail($toaddress, $subject, $message, $headers);
}
class validateForm{
function validateForm($array){
$this->fname = $array['fname'];
$this->lname = $array['lname'];
$this->email = $array['email'];
$this->phone = $array['phone'];
$this->subject = $array['subject'];
$this->body = $array['body'];
switch($this->subject){
case "web design":
$this->recipient = "webdesigner@sierra-tech.com";
break;
case "web hosting":
$this->recipient = "webdesigner@sierra-tech.com";
break;
case "products":
$this->recipient = "marketing@sierra-tech.com";
break;
case "service":
$this->recipient = "bench@sierra-tech.com";
break;
case "ST systems":
$this->recipient = "bench@sierra-tech.com";
break;
case "training":
$this->recipient = "marketing@sierra-tech.com";
break;
case "cingular":
$this->recipient = "marketing@sierra-tech.com";
break;
case "technical":
$this->recipient = "bench@sierra-tech.com";
break;
default:
$this->recipient = "dean@paradisedirect.com";
}
}
function checkInfo(){
if(!empty($this->fname)){
if(!ctype_print($this->fname)){
$errors['fname'] = "orange";
}
}
else{
$errors['fname'] = "red";
}
if(!empty($this->lname)){
if(!ctype_print($this->lname)){
$errors['lname'] = "orange";
}
}
else{
$errors['lname'] = "red";
}
if(!empty($this->email)){
if(!checkEmail($this->email)){
$errors['email'] = "orange";
}
}
else{
$errors['email'] = "red";
}
if(!empty($this->subject)){
if(!ctype_print($this->subject)){
$errors['subject'] = "orange";
}
}
else{
$errors['subject'] = "red";
}
if(empty($this->body)){
$errors['body'] = "red";
}
if(isset($errors)){
return $errors;
}
return false;
}
function mailInfo(){
$message = "Name: $this->fname $this->lname\nEmail Address: $this->email\nPhone: $this->phone\n\n$this->body";
$name = "$this->fname $this->lname";
if(MAIL_NVLP("$name", $this->email, "Sierra Tech", $this->recipient, "$this->subject - Sierra Tech Online Form", $message)){
header("Location: http://www.sierra-tech.com/contactus.php?sent=yes");
}
else{
header("Location: http://www.sierra-tech.com/contactus.php");
}
}
}
if($data = new validateForm($_POST)){
if($errors = $data->checkInfo()){
foreach($errors as $key => $val){
$urladd .= "$key=$val&";
}
foreach($_POST as $key => $val){
$urladd .= "p$key=$val&";
}
header("Location: http://www.sierra-tech.com/contactus.php?errors=yes&".$urladd);
}
else{
$data->mailInfo();
}
}
?>It means that you could block out people that actually have a valid email.
Check out Roja's validator
http://svn.gna.org/viewcvs/blacknova/tr ... iew=markup
Check out Roja's validator
http://svn.gna.org/viewcvs/blacknova/tr ... iew=markup
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
yep... that would block out my me@mysite.co.uk domains and also I actually have a work email address which is me@my-site-name.manchester.sch.uk
-
goodtimetribe
- Forum Newbie
- Posts: 2
- Joined: Thu Feb 02, 2006 3:37 pm
- Location: Dallas, TX
thanks!
That's some yummy goodness. I appreciate that onejshpro2 wrote:It means that you could block out people that actually have a valid email.
Check out Roja's validator
http://svn.gna.org/viewcvs/blacknova/tr ... iew=markup
Re: thanks!
Very glad you like it. Credit where it's due - the power came from the original book.. Thats just a php translation of that power.goodtimetribe wrote:That's some yummy goodness. I appreciate that one