PHPpod.com - Script PHP Personalizzati, Sviluppo Web, articoli e guide PHP

Wednesday, 07 January 2009

Tutorial

Categorie Script

RSS Media Grabber Video & Foto Divertenti Storie di Vita (Flash) Video: Ricerca & Download Script Download Video Nazioni in Vendita Script per Sondaggi Host per File wap Script Creazione SlideShow Script PhotoCube Script "Make Confessions" Script Spartiti Chitarra Crea Smile Personalizzati URL Brevi & Sottodomini Script Gioco Hot Or Not Metti il Tuo Testo Sulle Img Host & Watermark Img Salva i Tuoi Preferiti Online Componenti Joomla Script a Basso Costo

Partners

StileGames

Php Tutorial

PHP Secure E-mails

PHP E-mail Injections

First, look at the PHP code from the previous chapter:

<html>
<body>

<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail(" ", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

</body>
</html>

The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.

What happens if the user adds the following text to the email input field in the form?

%0ACc:
%0ABcc: , ,
,
%0ABTo:

The mail() function puts the text above into the mail headers as usual, and now the header has an extra Cc:, Bcc:, and To: field. When the user clicks the submit button, the e-mail will be sent to all of the addresses above!
PHP Stopping E-mail Injections

The best way to stop e-mail injections is to validate the input.

The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:

<html>
<body>

<?php
function spamcheck($field)
{
//eregi() performs a case insensitive regular expression match
if(eregi("to:",$field) || eregi("cc:",$field))
    {
    return TRUE;
    }
else
    {
    return FALSE;
    }
}

//if "email" is filled out, send email
if (isset($_REQUEST['email']))
{
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==TRUE)
    {
    echo "Invalid input";
    }
else
    {
    //send email
    $email = $_REQUEST['email'] ;
    $subject = $_REQUEST['subject'] ;
    $message = $_REQUEST['message'] ;
    mail(" ", "Subject: $subject",
    $message, "From: $email" );
    echo "Thank you for using our mail form";
    }
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>

</body>
</html>

Credit: www.w3schools.com

Free social bookmarking plugins and extensions for Joomla! websites!

< Prev		Next >

[ Back ]

Se trovi uno dei nostri operatori online, contattalo prima di comprare per usufruire di uno sconto!

Servizi

Controlla PageRank

Richiedi un Preventivo

Script Gratuiti

Installazione Script

Blog Backlinks

Login Form
Name: Username: E-mail: Password: Verify Password: Go back to Login Please enter your Username and e-mail address then click on the Send Password button. You will receive a new password shortly. Use this new password to access the site. Username: E-mail Address: Go back to Login Or Register Username: Password: Remember me Lost Password? No account yet? Register Hi,

Prodotti Scontati

Script Make Confessions

~~$44.95~~
$34.95
You Save: $10.00
Add to Cart