[RESOLVED] Code to protect against Email header injection theat.

blanius

It's become clear that to have a emai form is still a vunerablitiy and I'd like to know if anyone has come up with a good way to filter or check for injected headers in form emails?

jara06

could use a wrapper. eg. PEARs Mail
http://pear.php.net/mail

Or simply check and strip input within the serverside php

blanius

I don't see where the PEAR mail really offers anything. I have pretty good mailer code working. I too thought to strip the input but I don't know what to look for.

I had hoped that someone would have come up with a good strip function.

blanius

Ok looks like I'm already good. It seems the inject works when the message is sent raw and if the first lines are proper headers the mailer sees them as headers. But I don't send my message raw, firstly I add some text to it and then to get the line breaks to show I use
$comments=str_replace("\r","\n",$comments); and since a header MUST have \r\n at the end of each they should fail after that function is used.

zoobie

Since this bot tries to inject headers into every field you have, best to check all.

Using your method...

$email=str_replace("\r","\n",$email);
$name=str_replace("\r","\n",$name);
$comments=str_replace("\r","\n",$comments);
$phone=str_replace("\r","\n",$phone);

etc...