Monday, August 08, 2005

Email header injection in PHP

This blog has moved! Please click here to navigate to this entry.


At 9/8/05 15:44, Anonymous 4e4en said...


At 26/8/05 18:27, Anonymous Anonymous said...

I'm having a major problem with this.

This is my sendmail code, how would I change this to prevent bot's from injecting my code?

How are where do I put your sode and how do I test it?

$to = ';
$subject = $_POST['subject']; $message = $_POST['message']; $from = $_POST['from']; $from_check = $_POST['from_check']; $full_name = $_POST['full_name']; $tel = $_POST['tel'];

$headers = "From: ". $_POST['from'] ."\r\n";
$headers .= "Reply-To: ". $_POST['from'] ."\r\n"; $message = "\nInformation Request: ".$message; $message .= "\nName: ".$full_name;
$message .= "\nTel Number: ".$tel;
$message .= "\nEmail address 2 (could be different): ".$from_check;

if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) { echo "Sorry info here"; echo "Click here to return"; }

elseif ($from_check <> $from) { echo "Info here.";
echo "Click here to return"; }

elseif(mail($to,$subject,$headers,$message)) { echo "$full_name"; echo "Your email has been sent, we will reply as soon as possible."; } else { echo "Cannot send email";

Thanks Ian


Post a Comment

<< Home