To prevent the hacker fill in hacker's codes in the $sender to inject into email header.
We do this checking
<?php
$from=$_POST["sender"];
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? 🙁");
}
?>
So if I input the value in the sender text field, such as test@test.com\r\n, it is supposted to catch the error, but it doesn't, unless I changed the code to
<?php
$from=$_POST["sender"];
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? 🙁");
}
?>
With the
magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
Why $from=$_POST["sender"]; still get the escape slash added?
But if the $from is not from $_POST, if I hard code in the value, then the checking codes will work.
<?php
$from="test@test.com\r\n";
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? 🙁");
}
?>
So what is difference here between
$from=$_POST["sender"]; (and type in test@test.com\r\n)
and
$from="test@test.com\r\n";
Could somebody explain here? Thanks! the magic quote is a tricky part maybe someone else have same confusions as I have now.
Due to the $sender will have to be a valid email, will it be better instead of we only check to see if there is \n, \r in the $sender (where is the header injection happens.), we just check to see if $sender is a valid e-mail? If there is \n or \r in $sender, it will not be a valid e-mail too. This way we will not have to deal with above codes and magic quote issues but still prevent header injection from $sender value, right?
if(!eregi("[a-z0-9-]+(.[a-z0-9-]+)@[a-z0-9-]+(.[a-z0-9-]+)(.[a-z]{2,3})$", $sender))
{
exit("Invalid E-mail");
}
