The best way to inject e-mail is to validate the input

Source: Internet
Author: User
Keywords Network programming PHP tutorial
Tags address code echo email e-mail e-mail is example html
PHP E-mail injection

First, look at the PHP code in the previous section:

<html> <body> <? php if (isset ($ _ REQUEST ['email'])) // if "email" is filled out, send email {// send email $ email = $ _REQUEST ['email']; $ subject = $ _REQUEST ['subject']; $ message = $ _REQUEST ['message']; mail ("someone@example.com", "Subject: $ subject", $ message, "From: $ email"); echo "Thank you for using our mail form";} else // if "email" is not filled out, display the form {echo "<form method = 'post' action = 'mailform.php'> Email: <input name = 'email' type = 'text' /> <br /> Subject: <input name = 'subject' type = 'text' /> <br /> Message: <br /> <textarea name = 'message' rows = '15' cols = '40 '> </ textarea> <br /> <input type =' submit '/> </ form> ";}?> </ Body> </ html>

The problem with the above code is that an unauthorized user can insert data into the header of a message by entering the form.

If the user in the form of the input box to join these text, what will happen?

someone@example.com%0ACc: person2@example.com% 0ABcc: person3 @ example.com, person3@example.com, anotherperson4@example.com, person5 @ example.com% 0ABTo: person6@example.com

As usual, the mail () function puts the above text in the header of the message, so now the header has additional Cc :, Bcc:, and To: fields. When the user clicks the submit button, this e-mail will be sent to all the above address!

PHP to prevent E-mail injection

The best way to prevent e-mail injection is to validate the input.

The code below is similar to the previous section, but we have added the input validation procedure for email fields in the test form:

<html> <body> <? php function spamcheck ($ field) {// filter_var () sanitizes the e-mail // address using FILTER_SANITIZE_EMAIL $ field = filter_var ($ field, FILTER_SANITIZE_EMAIL); // filter_var () validates the e -mail // address using FILTER_VALIDATE_EMAIL if (filter_var ($ field, FILTER_VALIDATE_EMAIL)) {return TRUE;} else {return FALSE;}} if (isset ($ _REQUEST ['email'])) {// if "email" is filled out, proceed // check if the email address is invalid $ mailcheck = spamcheck ($ _ REQUEST ['email']); if ($ mailcheck == FALSE) {echo "Invalid input";} else {// send email $ $ subject = $ _REQUEST ['subject']; $ message = $ _REQUEST ['message']; mail ("someone@example.com", "Subject: $ subject", $ echo "Thank you for using our mail form";}} else {// if "email" is not filled out, display the form echo "<form method = 'post' action = 'mailform.php'> Email: <input name = 'email' type = 'text' /> <br /> Subject: <input name = 'subject' type = 'text' /> <br /> Message: <br /> <text area name = 'message' rows = '15 'cols = '40'> </ textarea> <br /> <input type = 'submit' /> </ form> ";}?> </ body> </ html >

In the code above, we used a PHP filter to validate the input:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.