Protect against interjection?

horhif

Hi, I've only been using PHP a few weeks now so please bear with me.

I have the basic script below. Basically I want users to enter their email address on my website, this email address is then entered onto my database and an email containing a link is automatically emailed to the user.

The script below does this. However, I have been advised to secure against interjection attacks. I've read about this, however, I am a little stuck about how to proceed.

My form below rejects any blank entry into the submit box. Also, if the user doesn't enter his correct email address he will obviously not get my email containing a link (which is the whole point of the exercise)

anyhow, how do i go about protecting again interjection? (i have also set the permissions to the database as "update" only as some form of protection.)

Can i also reject entries that do not contain the @ symbol?

Thanks for any help.

<?php

$con = mysql_connect("localhost","**t","****");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("b**_**", $con);

// Check if a person has clicked on submit.
if(isset($POST['submit'])) {
// Check if a person has filled every form.
if(empty($POST['email'])) {
echo "You have to send us your email address."; // Display the error message.

	exit; // Stop the code to prevent the code running after redirecting.
}

// Create variables from each $_POST.
$email = $_POST['email'];

// Create a variable containing the SQL query.
$query = "INSERT INTO `users` (email) VALUES ('$email')";
// Perform the SQL query on the database.
$result = mysql_query($query);
// If the query failed, display an error.
if(!$result) { 
	echo "Your query failed. " . mysql_error(); // The dot seperates PHP code and plain text.
} else {
	// Display a success message!
	echo "Thanks.  Please check your email account.  We have emailed you a link to our Generic Logo Creation";
}

}
$mail_from = "info@*******e.com";
$mail_to = $_POST['email'];
$mail_body = "Hello test";
$mail_subject = "mail test more";

$mail_header = "From: ".$name." <".$mail_from.">\r\n";

$sendmail = mail ($mail_to, $mail_subject, $mail_body, mail_header);
if($sendmail == true)

mysql_close($con)

NogDog

SQL injection (not "interjection", by the way) is prevented by using the applicable escaping mechanism for the database interface being used. In this case, since you are using the mysql_*() functions, you would use [man]mysql_real_escape_string/man to do the escaping of the user inputs. (The linked manual page should explain it as well or better than I can, but if you have any questions after reading it, post them here.)

horhif

thanks a lot.

much appreciated. cheers

sneakyimp

I think the injection horhif needs to watch out for is mail header injection. I'm not really sure what you're doing and it may actually still be safe, but if $name or $mail_from contains data from a form, someone could POST some extra information in there which could CC or BCC additional email addresses. This happened to a mail form that I created one time and my form became an open relay for spammers. It was quite embarrassing.

If you don't put any user-submitted information in your mail headers or mail message then you have nothing to worry about. If you DO, then you need to maybe try and protect yourself a little more.

NogDog

sneakyimp;10922566 wrote:
I think the injection horhif needs to watch out for is mail header injection. I'm not really sure what you're doing and it may actually still be safe, but if $name or $mail_from contains data from a form, someone could POST some extra information in there which could CC or BCC additional email addresses. This happened to a mail form that I created one time and my form became an open relay for spammers. It was quite embarrassing.

If you don't put any user-submitted information in your mail headers or mail message then you have nothing to worry about. If you DO, then you need to maybe try and protect yourself a little more.

Good point: I didn't read all that source code in detail. (It would be much easier to read, Horhif, if you typed/pasted it within this site's [noparse]

...

[/noparse] bbcode tags.) It may be that both need to be addressed: database SQL injection (lets people do nasty things to your database) and mail header injection (lets spammers use your form to send spam).