PHP Code Injection

Question

I have a php script running on my web site that accepts user-supplied input to send via an email. I am sanitizing the input data by stripping tags and slashes. However, I am not using this input to enter data in a database, or do an include, or an exec, or an eval, or anything like that. If I'm not doing one of these risky things, is it possible for a malicious user to inject executable php code through the GET, POST, or COOKIES arrays? I'm almost positive that the answer is "no", but I figured it was worth a shot at asking more experienced people. :)

Answer 1

You already taking care of many things. But I just want to share my experience regarding Code Injection. Few months ago, I found some strange lines of code in the index.php file of my website. At that time I just removed those lines, but they came back again after a week or so. Then, after a lot of research I found that it was because of some mal-ware in my computer that hacked my FTP ID/Pwd from my FTP application. It was changing the code in index.php. After that when I reinstalled the OS in my computer and the issue was solved. So this might be one possibility of code injection.

Answer 2

the only thing that i can think of is having register_globals turned on, this will be a high risk.

for example if you had the following url with register globals on: http://mysite/page/php?_SESSION=0 it would cause PHP to overwrite the session globals:

var_dump($_SESSION); // = 0

Otherwise its just email injection you would have to look out for, a great link supplied by @amosrivera

Answer 3

It's really best not to think of this problem in terms of conditions that produce risks and rather perform preventative measures regardless of context.

Generally speaking however, user submitted data that is not saved to any place on the server and then utilized in the web application itself is garbage collected at the end of the request (in your example, the information is emailed and then GCed). But injection on the whole is a very large issue and it's best not to think of it in broad strokes. Sure, the user may not be able inject PHP, but even simple unsecured textareas that post comments into a web app can open you up to client-side XSS. Better to get into the practice.

Sanitize wherever possible as a general rule. I should also mention HTMLPurifier for XSS filtering should you at some point need it. Since your form is being used to send mail, you should also place a CAPTCHA on the input to prevent automated sending. May I also suggest PHPMailer for your mail commands?

Answer 4

Without seeing the source, no one can tell for sure, but probably. Code execution usually happens when you use eval. Also check if you use include or require on paths from strings which could be modified by users.

Oh and there is Header Injection which will probably affect you http://www.securephpwiki.com/index.php/Email_Injection

Answer 5

If you're not using any of the input in an SQL statement, not writing it to a file, not using an eval or an exec, or including it, no, it's not possible to inject executable php code.

Answer 6

Well sir, may i introduce you Email Injection

How to prevent: http://phpsense.com/php/php-mail.html Note: If you use the user supplied data just in the body of the email, then you should be safe from it. But my recommendation is NEVER trust user input data.