1

I came up with the following script to clean my php mail contact forms. Was wondering if there is anything else that is recommended I should put in here. This is just a snippet of the code as I also pregmatch each field to only allow characters allowed, but as far as cleaning injections from the get go - any recommendations on changes?

I realize I have not included /r, /n, %0a, and %0d, but when I do so it creates an issue with the form as I post to itself and include 'error' and 'invalid' comments on those fields which have errors including the original so they can be corrected plus I want to allow enter and new lines in the comments 'text area' of the form anyways.

// remove any possible inections
foreach($values as $key => $input){
    $values[$key] = cleaninjections($input);
}

// perform on each field of the form
function cleaninjections($test)
{
 // Remove injected headers
 $find = array("/bcc\:/i", 
               "/content\-type\:/i", 
               "/mime\-version\:/i", 
               "/cc\:/i", 
               "/from\:/i",
               "/to\:/i",
               "/content\-transfer\-encoding\:/i");
$ret = preg_replace($find, "", stripslashes($test));
return $ret;
}
user756659
  • 3,372
  • 13
  • 55
  • 110
  • The overall approach with your mail form might be flawed if you need to blacklist things. Maybe you should show us how you handle it. – mario Jan 06 '12 at 22:05
  • I'm not blacklisting anything I am preventing header injection. My comment about pregmatch is for say an order id field... would only allow a-z0-9- case insensitive. – user756659 Jan 06 '12 at 22:07
  • Thanks Paul... the form actually works perfectly well, however, I am wondering if I can go further with the injection cleaning in any way? – user756659 Jan 06 '12 at 22:09

0 Answers0