Is it safe?
August 11, 2007 11:42 AM   Subscribe

Is this PHP form to email script safe from email header injection?

I've read dozens of pages on email header injection, including some from here with helpful comments, but some of the information I've read is contradictory and I don't know what is true.

That script above says it can be freely modified, so I've modified it to check for post elements and to fail without them (we don't want blank emails) and also to fail if certain fields are empty.

What I'm worried about now, though, is if more information can be added to it to use for spamming people. I haven't had an email injection regex on it because I didn't know about them before this comment in a recent thread here. I do not want to leave a form up if it can be hijacked.

I've tried modifying the code to put a regex on the field values and to fail if there's a match, but the result is that it properly fails when it should, but doesn't email the results when everything's okay. I'm not sure if the server's flaking out, if the account has been flagged as spammy, or if--more likely--I've nested something improperly. In any case I'm not getting a PHP error, but I thought I'd back up and ask the broader question: is that script safe as-is? (Can I drop this and get on with my weekend?) I'm not finding any discussions about it elsewhere.
posted by Tuwa to Computers & Internet (4 answers total) 4 users marked this as a favorite
Best answer: At a glance, I'd say it is safe: the only parameter of the mail() function that the user has any control over is the message body field, and there shouldn't be a way to cause problems by injecting crud there (unlike the other parameters, which are more sensitive). Can't be sure without examining the internals of the mail() function in php, though, and a lot of php internals are really poorly written.
posted by hattifattener at 3:45 PM on August 11, 2007

I highly recommend the Swift Mailer. I didn't go over the script you posted but Swift is pretty hard to beat from a functional and security standpoint.
posted by purephase at 7:23 PM on August 11, 2007 [1 favorite]

Response by poster: Thanks, hattifattener. I'm a third-rate PHP programmer at best, so I can't really say much about that article. But if it's true that what they want to do is check the length of a string, well, this O'Reilly PHP book I have suggests strlen().

purephase, thanks for the suggestion. Part of what prompted this question is that I have just a little knowledge of PHP, and probably not enough to modify a complicated script to get it to do what I want. If the one I have works as-is, then I'm tempted to leave it alone.

Incidentally, my hosting company got back to me and said that the account isn't blocked or throttled in any way, and that they're puzzled about why I stopped getting results from the script after I restored it to its last known-good version. Hm....
posted by Tuwa at 10:29 PM on August 11, 2007

Response by poster: Somebody mistook the submission form for a comment form and started spamming it with HTML-formatted and BBCode-formatted comments, so I ended up adding some checks to catch and discard spam anyway.
posted by Tuwa at 9:48 AM on October 5, 2007

« Older Help me out of my housing and schooling nightmare   |   Can we clear customs with homemade dehydrated food... Newer »
This thread is closed to new comments.