Security is an issue for, or should be, for everyone who creates websites, specially dynamic websites where user input is expected. With the now popular e-mail injection, the script writer needs to be ever more vigilant in his coding practices. When we write code for websites we need to have security on our minds, from start to finish.
The following is from the article mentioned above and is suggested to help prevent the e-mail injection attacks:
Solution
To prevent an email header injection attack, you need to filter all input data including any other fields on your forms (such as hidden fields) that may be used by your scripts in the creation of an email. The actual filtering implementation is a matter of programming style.
Filter Before Submit
You can prevent the attack by performing a data validation procedure that will not allow a script to run until the unwanted strings have been removed. For example, the following patterns can be used with PHP's preg_match function. If the function returns false, you can prevent the user from proceeding.
Pattern for filtering fields such as names
- Code: Select all
'/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i'
Pattern for filtering email addresses
- Code: Select all
'/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'
For example, using the pattern for email addresses, you might do the following:
- Code: Select all
$emailPattern = '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
if (!preg_match($emailPattern, $emailFieldToTest)) {
print 'Please review the email address you entered. There seems to be a problem';
}
Filter After Submit
You can allow a user (or, in this case, the botnet) to submit the form but then clean the data prior to actually processing it. A function like the one below can be used for this purpose.
- Code: Select all
function safe( $name ) {
return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );
}
/*************
NOTE: str_ireplace is a PHP5 function. If you are using an
earlier version of PHP, you can use preg_replace
with the i modifier.
*************/
Another method for filtering after the submit might look like the following. Be sure to change $_POST to $_GET if you are using that method.
- Code: Select all
foreach( $_POST as $value ){
if( stripos($value,'Content-Type:') !== FALSE ){
mail('admin@somehwere.com','Spammer Bot Attempt',$_SERVER['REMOTE_ADDR']);
exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
}
}
Contributing authors:
Rolan Yang
Chris Snyder
Billy Reisinger
Ken Robinson
Hans Zaunere
Chris Shiflett
Jordan Bradford
the PHundamentals team: Jeff Siegel and Mike Southwell "
A must read for the web programmer. Read the article in its entirety HERE
