views:

137

answers:

3

Hi,

im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable

$tenantname = $_POST['tenan']; 
$tenancyaddress = $_POST['tenancy'];
$alternativename = $_POST['alternativ'];
//and a few more
//then striptags on each variable

$to = "[email protected]";
$subject = "hardcoded subject here";
$message = "$tenantname etc rest of posted data";
$from = "[email protected]";
$headers = "From: $from";

mail($to,$subject,$message,$headers);
+2  A: 

Unhijackable? Yes.

Spamproof? I wouldn't describe it as that, as the form can still be used to spam the target of the form.

Narcissus
A: 

If you're using form data to create $from (not quite sure from your code), $from could be used to add additional headers (BCC/CC), kind of like SQL injection.

Update: Now with the code a bit more readable, I realize that shouldn't be a problem for you.

Tim Lytle
Its called crlf(`\r\n`) injection and its nothing like sql injection.
Rook
I'd argue that it is similar, since like SQL injection you're able to end the current 'statement' (in this case a header), and add additional 'commands' (in this case headers).Since SQL injection is (should be?) well known to PHP developers (more so than crlf injection), it seemed like a good way to explain it.
Tim Lytle
A: 

There are a few considerations $headers must never be controlled by an attacker. If they can control this variable then they can inject a crlf \r\n and turn this forum into an open spam gateway. PHP-Nuke was vulnerable to this a while back.

The 2nd consideration is rate limiting. A dumb bot is going to this this forum a few thousand times. They might not even spamming, but just scanning your site for sql injection to break in. You should use reCapthca to prevent bots from submitting this forum.

Rook