Is it safe?
August 11, 2007 11:42 AM
Is this PHP form to email script safe from email header injection?
I've read dozens of pages on email header injection, including some from here with helpful comments, but some of the information I've read is contradictory and I don't know what is true.
That script above says it can be freely modified, so I've modified it to check for post elements and to fail without them (we don't want blank emails) and also to fail if certain fields are empty.
What I'm worried about now, though, is if more information can be added to it to use for spamming people. I haven't had an email injection regex on it because I didn't know about them before this comment in a recent thread here. I do not want to leave a form up if it can be hijacked.
I've tried modifying the code to put a regex on the field values and to fail if there's a match, but the result is that it properly fails when it should, but doesn't email the results when everything's okay. I'm not sure if the server's flaking out, if the account has been flagged as spammy, or if--more likely--I've nested something improperly. In any case I'm not getting a PHP error, but I thought I'd back up and ask the broader question: is that script safe as-is? (Can I drop this and get on with my weekend?) I'm not finding any discussions about it elsewhere.
I've read dozens of pages on email header injection, including some from here with helpful comments, but some of the information I've read is contradictory and I don't know what is true.
That script above says it can be freely modified, so I've modified it to check for post elements and to fail without them (we don't want blank emails) and also to fail if certain fields are empty.
What I'm worried about now, though, is if more information can be added to it to use for spamming people. I haven't had an email injection regex on it because I didn't know about them before this comment in a recent thread here. I do not want to leave a form up if it can be hijacked.
I've tried modifying the code to put a regex on the field values and to fail if there's a match, but the result is that it properly fails when it should, but doesn't email the results when everything's okay. I'm not sure if the server's flaking out, if the account has been flagged as spammy, or if--more likely--I've nested something improperly. In any case I'm not getting a PHP error, but I thought I'd back up and ask the broader question: is that script safe as-is? (Can I drop this and get on with my weekend?) I'm not finding any discussions about it elsewhere.
I highly recommend the Swift Mailer. I didn't go over the script you posted but Swift is pretty hard to beat from a functional and security standpoint.
posted by purephase at 7:23 PM on August 11, 2007
posted by purephase at 7:23 PM on August 11, 2007
Thanks, hattifattener. I'm a third-rate PHP programmer at best, so I can't really say much about that article. But if it's true that what they want to do is check the length of a string, well, this O'Reilly PHP book I have suggests strlen().
purephase, thanks for the suggestion. Part of what prompted this question is that I have just a little knowledge of PHP, and probably not enough to modify a complicated script to get it to do what I want. If the one I have works as-is, then I'm tempted to leave it alone.
Incidentally, my hosting company got back to me and said that the account isn't blocked or throttled in any way, and that they're puzzled about why I stopped getting results from the script after I restored it to its last known-good version. Hm....
posted by Tuwa at 10:29 PM on August 11, 2007
purephase, thanks for the suggestion. Part of what prompted this question is that I have just a little knowledge of PHP, and probably not enough to modify a complicated script to get it to do what I want. If the one I have works as-is, then I'm tempted to leave it alone.
Incidentally, my hosting company got back to me and said that the account isn't blocked or throttled in any way, and that they're puzzled about why I stopped getting results from the script after I restored it to its last known-good version. Hm....
posted by Tuwa at 10:29 PM on August 11, 2007
Somebody mistook the submission form for a comment form and started spamming it with HTML-formatted and BBCode-formatted comments, so I ended up adding some checks to catch and discard spam anyway.
posted by Tuwa at 9:48 AM on October 5, 2007
posted by Tuwa at 9:48 AM on October 5, 2007
« Older Help me out of my housing and schooling nightmare | Can we clear customs with homemade dehydrated food... Newer »
This thread is closed to new comments.
posted by hattifattener at 3:45 PM on August 11, 2007