At this page I found some code to prevent email injection, which I would like to have your comments about...

So How to I Protect Against Email Header Injection Attacks?
Thankfully, protecting yourself is quite easy - probably the easiest way is for you to check the vulnerable fields for illegal content on receipt by your processing script. My approach was to write a simple function using a regular expression, thus:

  [CODE]<?php
   function spamcheck($spammed_field) {
    $spammed_field=strtolower($spammed_field);
    if((eregi("cc: ",$spammed_field))||(eregi("subject: ",$spammed_field))) {
     $spamhost=$_SERVER['REMOTE_HOST'];
     $spamrefr=$_SERVER['HTTP_REFERER'];
     $spamaddr=$_SERVER['HTTP_X_FORWARDED_FOR'];
     if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['HTTP_CLIENT_IP']; }
     if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['REMOTE_ADDR']; }
     $thisfile=$_SERVER['SCRIPT_NAME'];
     $spamtext="FILE: $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST: $spamhost \nINFO:\n$spammed_field\n";
     mail("spamcheck@domain.tld","ALERT: $spamaddr",$spamtext,"From: SpamCheck <spamcheck@domain.tld>\r\n");
     die();
    }
   }
  ?>

[/CODE]
All you have to do to check the vulnerable fields is include the function and call it for each one:

 [CODE] include('spamcheck.php');
  spamcheck($name);
  spamcheck($email);[/CODE]

If either 'Cc:', 'Bcc:' or 'Subject:' is found somewhere it shouldn't be, the script generates an email containing the name of the script and the spammer's IP address, sends it to spamcheck@domain.tld and promptly dies.

So my questions, about this script, to you seasoned coders are...

When I include a call to spamcheck.php in a page, and call the function to check the input on for example spamcheck($name) in a form, how does the $spammed_field in the spamcheck.php function know that $name is the $spammed_field .... I am not fluent in PHP... does the spamcheck function know that the $spammed_field is $name or would we have to specify before calling spamcheck.php that $spammed_field == $name then call spamcheck($spammed_field) ?

So basically my question is can the above spamcheck.php code be used as is by simply modifying to the exact field names of our form we want to have checked out for email injection BCC's etc, ....in this code...

 include('spamcheck.php');
      spamcheck($name);
      spamcheck($email);

Or do we have to explain to the spamcheck.php code that the $spammed_field == $name then call spamcheck($spammed_field), then that the next $spammed_field == $email then call spamcheck($spammed_field), etc. for every field we want to check ?

So my question is ultimately : is PHP intelligent enough to know when I call spamcheck.php that the $spammed_field is always the spamcheck($xyzfield) ??

Thanks for your help !

rgmis

PS: Also... as a second question what are your thoughts about the capacity of this code to seriously help prevent email injection ? 🙂

    Yes php is clever enough!
    $spammed_field only exists within the function, the argument value that you supply to the function call, in this case the value of $name, then becomes the value of $spammed_field for the life of the function.

      Thanks for this valuable answer... to a newbie!

      rgmis

        Write a Reply...