Email injection attack - simple protection method?

This is a discussion on "Email injection attack - simple protection method?" within the PHP Forum section. This forum, and the thread "Email injection attack - simple protection method? are both part of the Program Your Website category.


 Subscribe in a reader

Go Back   Webforumz.com > Main Forums > Program Your Website > PHP Forum
Reload this Page Email injection attack - simple protection method?

Notices
Please Register!
Webforumz.com is an education based community supporting web designers, developers and those who are new and learning. If you are a designer, developer, learning web design or are thinking about a career in web design then you have come to the right place. Register for free now to access more information and to participate in discussion and debate.




Reply
 
LinkBack Thread Tools
  #1  
Old Feb 15th, 2007, 16:34
Junior Member
Join Date: Jan 2007
Location: Seattle, WA
Age: 27
Posts: 22
Thanks: 0
Thanked 0 Times in 0 Posts
Email injection attack - simple protection method?
I was thinking about simpler ways to help prevent email injection attack that is used on forms that use PHP's mail() function. I thought about a few complex regexp rules, but then decided - what if I just search through all the text in each field and remove any "@" symbols found except for exactly one, which is allowed in the sender field. Then remove any % symbols to prevent new lines.

Is my understanding of the attack too simplistic? It seems like it doesn't matter if they try to inject recipients into the fields because they couldn't put any more than one working address in, and ONLY in the sender field.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote

  #2  
Old Feb 15th, 2007, 17:44
Reputable Member
Join Date: Jul 2005
Location: Melksham, Wilts, UK
Posts: 293
Thanks: 0
Thanked 0 Times in 0 Posts
Re: Email injection attack - simple protection method?
I would sanitise the subject and extra header lines with a regular expression to knock out any \r \n and %0A elements in the subject and extra headers. The rules don't need to be complex.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Spurl this Post!Reddit! Wong this Post!
Reply With Quote
Reply

Tags
mail, php, security

« Simple email form | Listing files in a folder »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
XHR attack abalfazl JavaScript Forum 1 Nov 30th, 2007 16:46
Best contact form spam protection method? uqwebdesign Web Page Design 3 May 10th, 2007 12:34
Simple email form Maverick25r PHP Forum 1 Feb 15th, 2007 17:42
Newbie Question- Basic HTML email method="post" Bagel Web Page Design 4 Aug 18th, 2006 12:03
Processing Form ASP using GET method to Email rbrown1972 Classic ASP 2 Feb 25th, 2005 05:23


All times are GMT. The time now is 02:33.

Contact Us - Web Design & Development Forums - Archive - Top

Free Bet :: Online Betting :: Bookmakers :: Funny Quotes :: Online Casino :: Web Hosting :: Football Betting :: Web Development India :: Football Stats :: Free Bets :: Extreme Clothing :: Apuestas :: SEO Company India :: Werbeartikel :: Search Engine Optimisation :: Sports Betting :: Casino :: Website Templates :: Online Gambling

Powered by vBulletin®
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.2.0 RC8
© 2003-2008 Webforumz.com : All Rights Reserved

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42