tags:

views:

31

answers:

3
+1  Q: 

PHP secure mail variables

Made a small contact form on php, it gets $_POST variables and mails to me.

<form action="/myscript.php" method="post">

Small piece of code:

$subject = trim($_POST['subject']);
$comment = trim($_POST['comment']);
mail($email, $subject, $comment, $headers);

$email is mine mail address, $headers are usual.

There is no filtration for subject and comment. Can it be a potential security hole to my site?

My mail is placed on gmail.com. Can unfiltered mail from my site hurt me, when I open gmail interface in browser?

How should I filter all the variables? Maybe I wish echo some of them on my site, after sending an email. (like 'Thanks, %name% !')

+1  A: 

No, it's not that dangerous. Gmail doesn't trust the e-mails you receive, otherwise every spammer would be able to compromise you.

However, it's a good practice to, at least, check if the variables exist and if their length doesn't exceed the maximum.

EDIT It's possible that old versions of PHP were vulnerable to e-mail injection attacks, as described here. It would not compromise your site and your e-mail client should be able to handle malicious e-mails safely, but could potentially turn you into a spam relay.

New versions do not exhibit this vulnerability, because all the control characters (those below 0x20) are sanitized. You can do the same sanitation like this:

$subject = filter_input(INPUT_POST, "subject", FILTER_UNSAFE_RAW,
    FILTER_FLAG_STRIP_LOW);
if ($subject === false) { /* subject not given/not scalar; handle it */ }
Artefacto  2010-08-21 19:30:21
true for both questions?
Happy  2010-08-21 19:31:38
@Work Yes, for both.
Artefacto  2010-08-21 19:32:01
what is the maximum length for mail fields?
Happy  2010-08-21 19:36:02
Are you saying he should not sanityse his data because gmail does it for you? Don`t you think thats bad practice?
Iznogood  2010-08-21 19:36:51
@Iznogood I'm saying that it both won't result in a vulnerability in his site and that, save for a bug in Gmail, it will also not result in a security risk when viewing the e-mail. See also my last paragraph.
Artefacto  2010-08-21 19:39:51
@Work For the subject, see http://stackoverflow.com/questions/1592291/what-is-the-email-subject-length-limit For the body of the e-mail, there's no limit, but you probably don't want to be able to send yourself multi-megabyte e-mails.
Artefacto  2010-08-21 19:40:51
@Artefacto out of curiosity if you where to read your gmail emails from another place (with pop3 for example) would gmail still clean up your data? Never tought about this before.
Iznogood  2010-08-21 19:43:13
@Izn I don't think so. But anyway, all the e-mail clients should be able sanitize the e-mails. Actually, if he's sending the message as plain/text, there's very little opportunity to compromise anything. The reason I don't say "no opportunity at all" is because I don't know if `mail` strips the subject out of new line characters. If it doesn't, you should be able to inject your own headers and compose an arbitrary message. But I repeat, if this results in some compromise when reading the e-mail, it's a bug of the e-mail client.
Artefacto  2010-08-21 19:58:17
@Izn I've checked the source code of `mail` and it checks for control characters in the subject. So it's not possible to inject new headers in the e-mail.
Artefacto  2010-08-21 20:05:48
@Artefacto Hey thanks the more you know ! :)
Iznogood  2010-08-21 20:19:06
+1  A: 

Yes, it is dangerous, vulnerable to attack called Mail injection.
Though it can not hurt your site but can be used by spammers. 

$subject = "Site feedback";
$comment = trim($_POST['subject'])."\n\n".trim($_POST['comment']);
mail($email, $subject, $comment);

this one would be safe.

Col. Shrapnel  2010-08-21 19:38:10
Why would `trim` help you here?
Artefacto  2010-08-21 19:42:03
@Artefacto trim do not help with injecions lol
Col. Shrapnel  2010-08-21 19:45:39
Sorry, -1. This won't help you at all.
Artefacto  2010-08-21 20:01:49
I explain. The information e.g. [here](http://www.securephpwiki.com/index.php/Email_Injection) is at least outdated. You cannot inject additional headers with `mail` because removes all the control characters from the subject (including new lines). See here http://lxr.php.net/opengrok/xref/PHP_TRUNK/ext/standard/mail.c#155 I removed the downvote though, because maybe old versions are vulnerable.
Artefacto  2010-08-21 20:04:55
+1  A: 

probably you could check http://swiftmailer.org/ a php mailer component-library in order to compare your solution with it. Swiftmailer is the mailer solution for frameworks such as symfony-project.org .

plain text is not an issue for a website, attachments are, but comment and subject would not create any problem in your server. regarding gmail, it has its own email verification consequently it would be difficult for an email with virus or similar to pass their analysis. rgds.

sebastian_h  2010-08-21 19:49:05

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases