 |
|
|
| View previous topic :: View next topic |
| Author |
Message |
squidliberty
Joined: 14 Sep 2007
Posts: 2
|
 Posted: Fri Sep 14, 2007 12:14 am Post subject: Securing contact forms with PEAR MAIL |
 |
|
What do I need to do to ensure that contact forms utilizing Mail::send() are not susceptible to mail injection exploits (see http://www.securephpwiki.com/index.php/Email_Injection)? Is the following code (from pear.php.net) secure?
| Code: | <?php
include('Mail.php');
$recipients = 'joe@example.com';
$headers['From'] = 'richard@example.com';
$headers['To'] = 'joe@example.com';
$headers['Subject'] = 'Test message';
$body = 'Test message';
$params['sendmail_path'] = '/usr/lib/sendmail';
// Create the mail object using the Mail::factory method
$mail_object =& Mail::factory('sendmail', $params);
$mail_object->send($recipients, $headers, $body);
?> |
Thanks for your feedback! |
|
| Back to top |
|
 |
mark
Joined: 07 Jan 2007
Posts: 1048
|
| Posted: Fri Sep 14, 2007 10:06 am Post subject: |
|
|
Your example code doesn't use any external values; it's secure. If you use something like | Code: | | $headers['To'] = $_GET['email']; |
, though, it would get unsecure. Solution: Check the value. (<= something you should do almost ever when dealing with user-input) |
|
| Back to top |
|
|
squidliberty
Joined: 14 Sep 2007
Posts: 2
|
| Posted: Fri Sep 14, 2007 4:08 pm Post subject: Re:Securing contact forms with PEAR MAIL |
|
|
Thanks for your speedy reply!
| mark wrote: | | Your example code doesn't use any external values; it's secure. If you use something like $headers['To'] = $_GET['email'];, though, it would get unsecure. Solution: Check the value. (<= something you should do almost ever when dealing with user-input) |
Oops. I guess that was a bad example. So, if I'm using user submitted data, what is the minimum required to ensure security against injection? Is checking the input with eregi("(\r|\n)", $from), as suggested by the SecurePHP link above, really sufficient? |
|
| Back to top |
|
|
mark
Joined: 07 Jan 2007
Posts: 1048
|
| Posted: Fri Sep 14, 2007 5:43 pm Post subject: |
|
|
Using this eregi() call would be a good idea. But I didn't had in mind that PEAR's Mail package already does such checks. Therefore, you can trust the package and use something like in my example:
| Code: | | $headers['To'] = $_GET['email']; |
The code that the package uses for all header fields is the following method:
| Code: |
/**
* Sanitize an array of mail headers by removing any additional header
* strings present in a legitimate header's value. The goal of this
* filter is to prevent mail injection attacks.
*
* @param array $headers The associative array of headers to sanitize.
*
* @access private
*/
function _sanitizeHeaders(&$headers)
{
foreach ($headers as $key => $value) {
$headers[$key] =
preg_replace('=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i',
null, $value);
}
}
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
