Submit Your Article Webforumz RegistrationAnnouncements Contact Webforumz StaffContact
Home Resources Blogs Meet the Team Contact Register
 

Go Back   WebForumz.com > The Code > PHP
Reload this Page Email injection attack - simple protection method?
Register All Albums Blogs FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools
Old February 15th, 2007, 12:34 PM   #1
New Member
 

Join Date: Jan 2007
Location: Seattle, WA
Age: 29
Posts: 22
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Altering Power: 0 EdgeWalker is on a distinguished road
Email injection attack - simple protection method?
I was thinking about simpler ways to help prevent email injection attack that is used on forms that use PHP's mail() function. I thought about a few complex regexp rules, but then decided - what if I just search through all the text in each field and remove any "@" symbols found except for exactly one, which is allowed in the sender field. Then remove any % symbols to prevent new lines.

Is my understanding of the attack too simplistic? It seems like it doesn't matter if they try to inject recipients into the fields because they couldn't put any more than one working address in, and ONLY in the sender field.
EdgeWalker is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Old February 15th, 2007, 01:44 PM   #2
Reputable Member
 

Join Date: Jul 2005
Location: Melksham, Wilts, UK
Posts: 293
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Altering Power: 0 grahame is a jewel in the rough grahame is a jewel in the rough grahame is a jewel in the rough
Re: Email injection attack - simple protection method?
I would sanitise the subject and extra header lines with a regular expression to knock out any \r \n and %0A elements in the subject and extra headers. The rules don't need to be complex.
grahame is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Reply

Bookmarks

Tags
mail , php , security

« Simple email form | Listing files in a folder »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
XHR attack abalfazl JavaScript 1 November 30th, 2007 12:46 PM
Best contact form spam protection method? uqwebdesign HTML, XHTML and CSS 3 May 10th, 2007 08:34 AM
Simple email form Maverick25r PHP 1 February 15th, 2007 01:42 PM
Newbie Question- Basic HTML email method="post" Bagel HTML, XHTML and CSS 4 August 18th, 2006 08:03 AM
Processing Form ASP using GET method to Email rbrown1972 Classic ASP 2 February 25th, 2005 01:23 AM

WebForumz.com is an iEntry Network® publication - 1998-2009 All Rights Reserved Privacy Policy and Legal
Contact Us - Web Design and Web Development forums for Beginners to Advanced - Archive - Top

Search Engine Optimization by vBSEO 3.2.0 RC8