Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Jul 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question How to test for email injection

    I'm using the php mail function and I have a form with the name field, phone field, email field and message field which is a text area. The email field (along with the name and phone field) displays in the message and isn't used to send an email to that address. The To: fields and subject: fields and From: header are static in the script and is designed to always be the same.

    I was recently trying to try email injection to my own script so I can then know if my preventative measures are working or not.

    I've tried putting in the fields %0ATo:mysecondemailaddress@provider.com and also %0ACc:mysecondemailaddress@provider.com, but the email doesn't even send to the proper email address at all. I was just wondering what is the correct method to do this, and also when I am using preventative methods such as identifying strings and either removing them or denying the email from being sent what characters such as % should I also be on the look out for?

    Ps: I am going to put a captcha in the scrpt. So this is for protection against malicious users.

    _____
    Edit: Ok heres the code

    PHP Code:
    if (!empty($_REQUEST['email']))
    {
        
    $name $_REQUEST['name'];
        
    $phone $_REQUEST['phone'];
        
    $email $_REQUEST['email'] ;
        
    $message $_REQUEST['message'] ;
        
    $message "<html>
    <head>
    <title>Email Message</title>
    </head>
    <body>
    <table border='1'>
    <tr>
    <th>Name:</th>
    <th>Phone:</th>
    <th>Email:</th>
    <th>Message:</th>
    </tr>
    <tr>
    <td>$name</td>
    <td>$phone</td>
    <td>$email</td>
    <td>$message</td>
    </tr>
    </table>
    </body>
    </html>
    "
    ;

    $headers "MIME-Version: 1.0" "\r\n";
    $headers .= "Content-type:text/html;charset=iso-8859-1" "\r\n";

    $headers .= 'From: <mail@website.com>' "\r\n";
        
    mail($email"Contact form submitted",
        
    $message$headers);
        
    header ("Location: contact.php");
        exit;
        }
     
    ?>
    <form method="post" action="contact.php">
    <table>
        <tr>
            <td class="leftside">Name:</td>
            <td class="rightside"><input style="width:400px;" type="text" name="name" /></td>
        </tr>
        <tr>
            <td class="leftside">Phone:</td>
            <td class="rightside"><input style="width:400px;" type="text" name="phone" /></td>
        </tr>
        <tr>
            <td class="leftside"><b>*Email:</b></td>
            <td class="rightside"><input style="width:400px;" type="text" name="email" /></td>
        </tr>
        <tr>
            <td class="leftside">Message:</td>
            <td class="rightside"><textarea style="width:400px;height:300px;" name="message"></textarea></td>
        </tr>
        <tr>
    //Captcha not implemented yet
            <td class="leftside">Captcha:<br />
                 <br />
              Type in the text in the image above (not case-sensitve)</td>
            <td class="rightside"><input style="width:400px;" type="text" name="captcha" /></td>
        </tr>
        <tr>
            <td colspan="2">Fields marked with an asterix(*) or are bold are required. 
    The CAPTCHA image must be matched.</td>
        </tr>
        <tr>
            <td colspan="2"><br /><input type="submit" value="Submit Form"/></td>
        </tr>
    </table>
    </form> 
    Last edited by chump2877; 07-22-2011 at 02:17 PM. Reason: Added PHP tags to code

  • #2
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    Could you maybe show us your code? Can't really make an educated decision without seeing what you're doing at the moment

  • #3
    New to the CF scene
    Join Date
    Jul 2011
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The true way to avoid email injections

    Code:
    <?php
    
    /**
    *
    * @strip injection chars from email headers
    *
    * @param string $string
    *
    * return string
    *
    */
    
    $from = $_POST['from'];
    
    function safeEmail($string) {
    return preg_replace( '((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' , '', $string );
    }
    
    /*** example usage ***/
    
    if(strlen($from) < 100)
    {
    $from = safeEmail($from);
    }
    
    echo "$from";
    
    
    ?>


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •