1

I am a newbie on PHP but manage to create a working contact form. But then I got aware of Email Header Injection. How can I prevent this in best possible way? Don't want my form to be used to spam people.

This is my code:

<?php 
if ($_POST["email"]<>'') { 
    $ToEmail = 'FixedEmail@domain.com'; 
    $EmailSubject = 'Email Subject'; 
    $mailheader = 'From: donotreply@domain.com' . "\r\n" .
        'Reply-To:' .$_POST["email"]. "\r\n" .
        'MIME-Version: 1.0'."\r\n".
        'Content-Type: text/html; charset=utf-8'."\r\n".
        'X-Mailer: PHP/' . phpversion();
    $MESSAGE_BODY .= "<b>Navn:</b> ".$_POST["name"]."<br />"; 
    $MESSAGE_BODY .= "<b>Telefon:</b> ".$_POST["telephone"]."<br />";
    $MESSAGE_BODY .= "<b>Email:</b> ".$_POST["email"]."<br /><br />"; 
    $MESSAGE_BODY .= "".nl2br($_POST["message"])."<br />"; 
    mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");

?>

Naguah
  • 13
  • 5
  • simply add `$_POST["email"]` validation, if content is in email format, injetion will not be possible anymore – Kazz Jun 04 '17 at 13:06

1 Answers1

0

Just Put the validation for email field as shown below:

$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

if ($email === FALSE) {
    echo 'Invalid email';
    exit(1);
}

It validates your Email format which will not allow any kind of injected headers.

Ashish Tiwari
  • 1,919
  • 1
  • 14
  • 26
  • Thank you for your answer @Ashish Tiwari! So just by copy/paste this code somewhere random it prevents others from injecting headers and use my form for spam? Or do I have to put it somewhere specific to work? – Naguah Jun 04 '17 at 14:33
  • @Naguah It will just prevent from injecting header from email. If any one try to inject anything from $_POST['email'] , it will won't allow. Above code only applicable for $_POST['email']. – Ashish Tiwari Jun 04 '17 at 14:37
  • Probably stupid question @Ashish Tiwari, but as I already put restriction in the HTML for the contact form ``. How can they manipulate this then? Does your php doing the same as my html? – Naguah Jun 04 '17 at 14:52
  • In html your 'type="email"' also does validation but only from front end. But if i breaks this validation through browser using inspect element or firebug , It will allow me to inject malicious header or something else. Hence I suggested you to put server side Email validation too. Sometime Your URL can call directly from any script (from curl in PHP), Bot or anything , Then your HTML validation won't work. In such case PHP will prevent from injecting anything rather then well format email. – Ashish Tiwari Jun 04 '17 at 14:59
  • Thank you so much for your reply @Ashish Tiwari! So by pasting your code after `mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");` I should be safe? – Naguah Jun 04 '17 at 15:06
  • Not after @Naguah. Look at your email flow . If you put my code after after mail() function its not gonna work because in this case first mail will shoot and after that validation will happen. so just put my code before mail () function. It will do validation first if something wrong it will exit from script and won't send email. – Ashish Tiwari Jun 04 '17 at 15:15
  • `$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL); if ($email === FALSE) { echo 'Invalid email'; exit(1); } mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");` – Ashish Tiwari Jun 04 '17 at 15:17
  • Thank you so much for your help @Ashish Tiwari! :) – Naguah Jun 04 '17 at 15:34
  • My pleasure @naguah . Don't forget to do the deep testing :) – Ashish Tiwari Jun 04 '17 at 15:42