tags:

views:

137

answers:

3
Q: 

php Form to Email sanitizing

Hi,

im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable

$tenantname = $_POST['tenan']; 
$tenancyaddress = $_POST['tenancy'];
$alternativename = $_POST['alternativ'];
//and a few more
//then striptags on each variable

$to = "[email protected]";
$subject = "hardcoded subject here";
$message = "$tenantname etc rest of posted data";
$from = "[email protected]";
$headers = "From: $from";

mail($to,$subject,$message,$headers);
+2  A: 

Unhijackable? Yes.

Spamproof? I wouldn't describe it as that, as the form can still be used to spam the target of the form.

Narcissus  2010-04-30 12:33:19
A: 

If you're using form data to create $from (not quite sure from your code), $from could be used to add additional headers (BCC/CC), kind of like SQL injection.

Update: Now with the code a bit more readable, I realize that shouldn't be a problem for you.

Tim Lytle  2010-04-30 13:08:46
Its called crlf(`\r\n`) injection and its nothing like sql injection.
Rook  2010-04-30 17:23:17
I'd argue that it is similar, since like SQL injection you're able to end the current 'statement' (in this case a header), and add additional 'commands' (in this case headers).Since SQL injection is (should be?) well known to PHP developers (more so than crlf injection), it seemed like a good way to explain it.
Tim Lytle  2010-04-30 17:55:16
A: 

There are a few considerations $headers must never be controlled by an attacker. If they can control this variable then they can inject a crlf \r\n and turn this forum into an open spam gateway. PHP-Nuke was vulnerable to this a while back.

The 2nd consideration is rate limiting. A dumb bot is going to this this forum a few thousand times. They might not even spamming, but just scanning your site for sql injection to break in. You should use reCapthca to prevent bots from submitting this forum.

Rook  2010-04-30 17:22:27

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases