PHP Secure Email
PHP E-mail
PHP Error
In the PHP e-mail script in the previous section, there is a vulnerability.
PHP E-mail Injection
First, look at the PHP code in the previous section:
<html>
<body>
<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>The problem with the above code is that unauthorized users can insert data in the email header through the input form.
What will happen if the user adds these texts to the input box in the form?
someone@example.com%0ACc:person2@example.com
%0ABcc:person3@example.com,person3@example.com,
anotherperson4@example.com,person5@example.com
%0ABTo: person6@example.com
As usual, the mail() function puts the above text into the email header, so now the header has additional Cc:, Bcc: and To: fields. When the user clicks the submit button, this e-mail will be sent to all the addresses above!
PHP Prevent E-mail Injection
The best way to prevent e-mail injection is to validate the input.
The following code is similar to the previous section, but we have added an input validator to detect the email field in the form:
<html>
<body>
<?php
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{//if "email" is not filled out, display the form
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>In the above code, we use a PHP filter to validate the input:
FILTER_SANITIZE_EMAIL Remove illegal characters of email from string
FILTER_VALIDATE_EMAIL Verify email address
CMD close port command
How to use the print function in python
What are the reasons why a mobile phone has an empty number?
How to type the inscription on the coin circle?
Thunder 7 crack patch
How to implement recursive query in mysql
How do I set up WeChat to require my consent when people add me to a group?
What does linux df -h mean?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
