Met
Reputation: 33
secure email form, header injection query
I'm using the following to clean up input from my contact form:
<?php
$name = strip_tags(stripslashes($_POST['name']));
//this is repeated for several other fields, then:
if(isInjected($name)) { die(); }
/* see isInjected function below */
// send the mail
?>
I'm using this function:
<?php
/* function from http://phpsense.com/php/php-mail.html */
function isInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
return true;
}
else {
return false;
}
}
?>
Is this sufficient to clean up my contact form?
thanks.
Upvotes: 2
Views: 1865
Answers (2)
Ben
Reputation: 11188
It seems prettey decent and better than average inputvalidation. Personanlly I also prefer handling inputtypes. In my basecontroller I have several functions to check wether input is a valid date of birth, emailaddress, etc. If you add such validation to your existing validation you're handling it well IMO.
Upvotes: 1
Corey Ballou
Reputation: 43467
As a side note that code is a little bloated. It can be trimmed down quite easily:
/* function from http://phpsense.com/php/php-mail.html */
function isInjected($str) {
$inject = "/(\r|\t|%0A|%0D|%08|%09)+/i";
return (preg_match($inject, $str) > 0);
}
Upvotes: 4
Related Questions
- Is this mail() function safe from header injection?
- Email header injections
- Is there any injection vulnerability in the body of an email?
- How can I secure this PHP Mail from Injection?
- Is this php mailer file secure from injection attacks?
- It is possible to inject headers in PHP mail() $to argument?
- PHP Simple Header Injection Prevention
- email header injection - example not working
- php Form to Email sanitizing
- php mail header injection prevention