How can I secure this PHP Mail from Injection?

Question

So I am front-end developer. I do not know PHP. Working on a client's webpage, I chanced upon this simple PHP Mailer that I could understand and implement, but it seems to be not secure from a PHP injection.

I wanted some advice. Is it possible to secure this script & how? or Should I look for another Mailer Script, if so can anyone suggest a better alternative?

Thanks in advance.

<?php

// Contact
$to = 'hello@xyz.com';
$subject = 'Mail from XYZ.com';

if(isset($_POST['c_name']) && isset($_POST['c_email']) && isset($_POST['c_message'])){
    $name    = $_POST['c_name'];
    $from    = $_POST['c_email'];
    $message = $_POST['c_message'];

    if (mail($to, $subject, $message, $from)) { 
        $result = array(
            'message' => 'Thanks for contacting us!',
            'sendstatus' => 1
            );
        echo json_encode($result);
    } else { 
        $result = array(
            'message' => 'Sorry, something is wrong',
            'sendstatus' => 1
            );
        echo json_encode($result);
    } 
}

?>

Answer 1

You can use share script and can understand more about PHP Email Header Injection by just Googling..

<?php

// Contact
$to = 'hello@xyz.com';

$subject = 'Mail from XYZ.com';

// split POST array as PHP var
extract( $_POST );

// check if var set
if( isset( $c_name ) && isset( $c_email ) && isset( $c_message ) ) {

    // validate valid email format
    $email = filter_var( $c_email, FILTER_VALIDATE_EMAIL );

    // if email is alien :) kill them
    if( $email === FALSE ) {
        echo 'Invalid email id...';
        exit( 1 );
    } 
    // else email is angel :) go ahead
    else {
        $name = $c_name;
        $from = $c_email;

        /**
         * According to the documentation for mail(), 
         * when it's talking directly to an SMTP server, 
         * you will need to prevent full stops in the message body:
         * @var [type]
         */
        $message = str_replace( "\n.", "\n..", $c_message );

        /**
         * Preventing Header Injections
         * 
         * Preventing such attacks is as simple as 
         * replacing the following characters, \r, %0D, \n, %0A and stripping the slashes.
         * Apparently, it's also possible to inject via the subject, 
         * as well, but since there is no FILTER_VALIDATE_EMAIL_SUBJECT, 
         * you'll need to do the filtering yourself:
         * @var [type]
         */
        $subject = str_ireplace( array("\r", "\n", '%0A', '%0D') , '', stripslashes($subject) ); 

        if( mail( $to, $subject, $message, $from ) ) {
            $result = array(
                'message' => 'Thanks for contacting us!',
                'sendstatus' => 1
            );
            echo json_encode( $result );
        } 
        else {
            $result = array(
                'message' => 'Sorry, something is wrong',
                'sendstatus' => 1
            );
            echo json_encode( $result );
        }
    }
}
?>

Answer 2

Validate the $from address to make sure it is just an e-mail address, for example with filter_var:

Change

if (mail($to, $subject, $message, $from)) { 

to:

if (filter_var($from, FILTER_VALIDATE_EMAIL) && 
               mail($to, $subject, $message, $from) {

This is a quick-and-dirty fix though. If you do not know any PHP, it might be helpful to hire a competent PHP programmer to fix this correctly and more robust.