Comments on: Email injection exploit through a PHP contact form

By: DrTebi

DrTebi — Mon, 01 Oct 2007 22:53:30 +0000

I know this article is a bit outdated, but for those checking it out and running PHP 5 >= 5.2.0, check out the Filter Functions:
http://us3.php.net/filter

By: Chik

Chik — Thu, 30 Aug 2007 18:01:52 +0000

Thanks… but I’m not experienced enough with php to know how to implement these suggestions safely. Can anyone recommend a solid script that I can buy which will protect against injection?

By: Alex

Alex — Thu, 28 Jun 2007 21:44:27 +0000

what about limiting the form field I mean a simple 15 letter limitation should basicly limit most of the problem

By: will

will — Thu, 21 Jun 2007 07:29:54 +0000

Hi. I used your code in my site and it works fine except for cc: . When I tested out cc: in my contact form it always gives me a 406 error, with any of the other situations such as to:, it works as expected and it leads through to my own planned response (please re-enter your e-mail without dangerous, possibly spam causing strings such as to:). any ideas?

By: jean

jean — Mon, 20 Nov 2006 09:26:21 +0000

I tested a form using the hex characters and succeeded in sending additional copies of mail in this fashion.
The body of the message is not necessarily secure – I added %0a%0dcc:name@domain.com at the very end of a message and succeeded in sending a message.
I decided to remove ‘:’s and replace @ with .AT. for a nervous client in addition to checking for \r, \n, etc. etc. and so far it is holding up very well.

By: MB

MB — Fri, 15 Sep 2006 07:35:46 +0000

Why not just use the filter solution used in the SecurePHP article? First, urldecode the field, then eregi for \r or \n. If either is present, then deny. Won’t this catch any hack attempt to added header fields?

By: Steffen

Steffen — Sat, 19 Aug 2006 11:27:39 +0000

i hae to hack a homepage coz they deleted our and i dont know how i can hack there homepage… i need help when you see this mail , i try to hack the page but im sure it wont work ^^ … http://www.ts-gamers.de.ki and http://www.ts-gamers.de.vu hack these homepages pls … THANK YOU

By: Kat

Kat — Thu, 25 May 2006 15:03:30 +0000

And if just verify that the from-field is a valid email, with the regex like this
eregi(“^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$”, $from)?

Thank you

By: Chad

Chad — Wed, 05 Apr 2006 04:53:05 +0000

The bcc: is probably redundant since cc: should cover both

By: Hugo

Hugo — Tue, 07 Feb 2006 15:44:32 +0000

Hi Tony,

have you actually tried to test whether the
0×0A injection business works?
I read the same article on damonkohler.com
and tested my own form, but as far as I can see,
neither %0A or 0×0A (or with 0×0D etc.)
actually created a newline, so the attack
wouldn’t work.
Might be hosting-specific or something I don’t know..