Can you use mail() in PHP without creating an unsecure, open mail relay?
December 28, 2005 4:30 PM Subscribe
Can you use mail() in PHP without creating an unsecure, open mail relay boon to spammers everywhere? I keep trying to read This Page, and I think I understand it, but I'm not sure.
Like I said, I think I understand the problem, but I don't feel confident in my abilities to reasonably evaluate all the many solutions I've found. I've read through This Recent Related Question.
Would somebody that really knows there stuff tell me if passing anything that will go into mail() through this function would be enough to clean it? Most scripts I've seen are blocking \r and \n. I don't see anybody blocking "%0A" or other hexadecimal equivalents to line breaks. Is that because users can't use those to inject headers or because none of the forms I'm seeing are really secure?
Like I said, I think I understand the problem, but I don't feel confident in my abilities to reasonably evaluate all the many solutions I've found. I've read through This Recent Related Question.
Would somebody that really knows there stuff tell me if passing anything that will go into mail() through this function would be enough to clean it? Most scripts I've seen are blocking \r and \n. I don't see anybody blocking "%0A" or other hexadecimal equivalents to line breaks. Is that because users can't use those to inject headers or because none of the forms I'm seeing are really secure?
In other words, if you see %OA, it means someone did %25OA.
posted by delmoi at 4:49 PM on December 28, 2005
posted by delmoi at 4:49 PM on December 28, 2005
Good security practice is to disallow everything and explicitly allow the things you want. Do you really want your script to be generic? Surely you can restrict the sender? The recipient? The fewer options you give, the better. Don't overdesign.
Perhaps all you want to allow is a subject line and message body? And if so, do a regular expression check to verify that they only have valid ([\w\.\-]+ perhaps?) characters.
posted by quiet at 5:53 PM on December 28, 2005
Perhaps all you want to allow is a subject line and message body? And if so, do a regular expression check to verify that they only have valid ([\w\.\-]+ perhaps?) characters.
posted by quiet at 5:53 PM on December 28, 2005
* Only accept what you expect, make it easy on yourself - plain text - nothing else.
* Filter for common phrases, especially BCC:, CC: , To:, Content-Type:.
* Hard code the destination address if at all possible.
It's only an email form on a website, it shouldn't be mission critical; You're not aiming for 99.999% delivery, so it's better to be cautious and dump suspect mail than try to clean it up and send it.
posted by oliyoung at 8:07 PM on December 28, 2005
* Filter for common phrases, especially BCC:, CC: , To:, Content-Type:.
* Hard code the destination address if at all possible.
It's only an email form on a website, it shouldn't be mission critical; You're not aiming for 99.999% delivery, so it's better to be cautious and dump suspect mail than try to clean it up and send it.
posted by oliyoung at 8:07 PM on December 28, 2005
Anyway, as long as you don't use anything from the form in the *headers*, and only put it in the body, you should be fine. Which would be the case if you have a hard-coded destination address (feedback@yoursite.com or whatever).
posted by littleme at 10:46 PM on December 28, 2005
posted by littleme at 10:46 PM on December 28, 2005
Response by poster: I'm looking at password recovery and password verification which means I need to be putting a user supplied to address in there, so the user will definitely have access to the headers.
I am validating the e-mail address which will probably cover me, but I'm looking for extra security just in case. Does this function look like it would cover me, or is there something else that I should add to that to be extra safe?
posted by willnot at 12:46 AM on December 29, 2005
I am validating the e-mail address which will probably cover me, but I'm looking for extra security just in case. Does this function look like it would cover me, or is there something else that I should add to that to be extra safe?
posted by willnot at 12:46 AM on December 29, 2005
You shouldn't be using mail() anyway.
PHPMailer is the way to go.
posted by Sharcho at 6:54 AM on December 29, 2005
PHPMailer is the way to go.
posted by Sharcho at 6:54 AM on December 29, 2005
If you're doing password recovery and verification, the message body is being provided by your script, right? That would probably make it useless to a spammer, even if he could manage to inject other recipient addresses into the headers. (As opposed to a comment form, where the user provides the message body.)
posted by staggernation at 7:05 AM on December 29, 2005
posted by staggernation at 7:05 AM on December 29, 2005
I should clarify: It is possible to inject a message body as well, but it's unlikely that any message a spammer would want to send would fit into the email address field (you can simply check the length and limit it to a reasonable number of characters).
posted by staggernation at 7:37 AM on December 29, 2005
posted by staggernation at 7:37 AM on December 29, 2005
This thread is closed to new comments.
posted by delmoi at 4:47 PM on December 28, 2005