PHP Secure Email
- Previous Page PHP E-mail
- Next Page PHP Error
There is a vulnerability in the PHP email script in the previous section.
PHP Email Injection
First, please see the PHP code in the previous section:
<html>
<body>
<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'];
$subject = $_REQUEST['subject'];
$message = $_REQUEST['message'];
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
The problem with the above code is that unauthorized users can insert data into the email header by filling out the form.
What will happen if the user enters this text into the input box on the form?
someone@example.com%0ACc:person2@example.com %0ABcc:person3@example.com,person3@example.com, anotherperson4@example.com,person5@example.com %0ABTo:person6@example.com
As usual, the mail() function puts the above text into the email header, so now the header has additional Cc:, Bcc:, and To: fields. When the user clicks the submit button, this email will be sent to all the addresses above!
PHP to Prevent E-mail Injection
The best way to prevent e-mail injection is to validate the input.
The following code is similar to the previous section, but we have added input validation for the email field in the form:
<html>
<body>
<?php
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
if (isset($_REQUEST['email']))
//if "email" is filled out, proceed
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
//send email
$email = $_REQUEST['email'];
$subject = $_REQUEST['subject'];
$message = $_REQUEST['message'];
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{//if "email" is not filled out, display the form
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
In the above code, we used PHP filters to validate the input:
- FILTER_SANITIZE_EMAIL Removes Illegal Characters from an Email String
- FILTER_VALIDATE_EMAIL Validates an Email Address
You can find more about our PHP FiltersRead more about filters in this section.
- Previous Page PHP E-mail
- Next Page PHP Error
