PHP Secure E-mails
In the previous section of the PHP e-mail script, there is a vulnerability.
PHP e-Mail injection
First, take a look at the PHP code in the chapter:
The problem with the above code is that an unauthorized user can insert data into the header of the message by entering the form.
What happens if the user adds the following text to the e-mail message in the form's input box?
[Email protected]%0acc:[email protected]%0abcc:[email protected],[email protected],[email protected],[email Protected]%0abto:[email protected]
As always, the mail () function puts the above text in the header of the message, and now the head has an extra Cc:, BCC: And to: Fields. When the user clicks the Submit button, the e-mail will be sent to all the addresses above!
PHP prevents e-mail injectionThe best way to prevent e-mail injection is to validate the input.
The following code is similar to the one in the previous chapter, but here we have added an input validator for the email field in the detection form:
In the code above, we used a PHP filter to validate the input:
- Filter_sanitize_email filter removes illegal characters from a string in an e-mail message
- Filter_validate_email Filter Verify the value of the e-mail address
PHP Secure email to prevent mail injection