09-30-2007, 05:27 PM
|
#18 (permalink)
|
|
The Wanderer
Join Date: Sep 2007
Location: Sydney, Australia
Posts: 19
Thanks: 0
|
Quote:
Originally Posted by Village Idiot
Understand one thing about my coding, im all about security, it bothers me to have an insecure script. But I am also concerned about simplicity, I never use complicated code where simpler code will do. The simplest way is to use an email validation command, that way you see if its a valid email and it wont let an attack in.
PHP Code:
function checkEmail($email) {
if (!preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)) {
return false;
}
return true;
}
|
Understandable. :) Valid addresses in the mail() function do also include: "John Smith <email@example.com>"
Also, from what I've read, injection can be put into almost any mail() parameter. So if you put user input into your subject field, you need to remove any new lines. A simple sequence of characters like "\r\n \n" can cause the subject parameter to break and allow additional headers such as Bcc to be injected. e.g. "Test\r\n \nAnother-Header: Blub" Read more @ php-security.org
So while you validate your emails (including your "to" parameter), you also need to check your subject field.
I would also change my previous function to the following after I've read a few more articles and postings.
PHP Code:
function StripNewLines($str){
return str_replace(array("\r", "\n","%0A","%0D"), "", $str);
}
|
|
|
|