Email Injection

One common hack that is being applied to form to mail scripts these days is for the spammer to ad carriage returns and/or line feeds into one of the fields where they need to enter a mail header value in order to add their own extra header(s) after that one. This enables them to blind copy a few thousand people with an email sent from your site.

To block this you need to make sure that your script tests all such fields to make sure that they do not contain such entries. You can then either stop the email being sent if such values are found or simply strip out the illegal characters (and perhaps everything following).

You can easily test a field (for example $destemail) for if it contains carriage returns or linefeeds using the following code:

if (strstr($destemail,"\r") || strstr($destemail,"\n")) exit;

Alternatively you could combine testing for both fields into one using:

if (preg_match("/[\r|\n]/",$destemail)) exit;


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow