PHP Tutorial Example
Example
PHP Mail
PHP Libxml
PHP HTTP
PHP Filter
PHP Zip
PHP Directory
PHP Error
PHP SimpleXML
PHP Calendar
PHP Date
PHP Misc
PHP XML
PHP FTP
PHP Math
PHP MySQL
PHP Filesystem
PHP Array
PHP String
PHP Tutorial
PHP Introduction
PHP Installation
PHP Syntax
PHP Variables
PHP Echo
PHP Strings
PHP Operators
PHP Comments
PHP Include File
PHP Require
PHP If Statement
PHP If Else
PHP Elseif
PHP Switch
PHP Forms
PHP Functions
PHP Array
PHP While Loop
PHP For Loop
PHP For Each
PHP Do While
PHP POST and GET
PHP Magic Quotes
PHP htmlentities
PHP Files
PHP File
PHP File Create
PHP File Open
PHP File Close
PHP File Write
PHP File Read
PHP File Delete
PHP File Append
PHP File Truncate
PHP File Upload
PHP Strings
PHP strpos
PHP str replace
PHP substrreplace
PHP Capitalization
PHP explode
PHP implode
PHP Advanced
PHP Date
PHP Session
PHP Cookies
PHP Include
PHP Email
PHP Secure Email
PHP Error
PHP Exception
PHP Filter
PHP and AJAX
AJAX Intro
AJAX PHP
AJAX Database
AJAX XML
AJAX Live Search
AJAX RSS Reader
AJAX Poll
PHP XML
XML Expat Parser
XML DOM
XML SimpleXML
PHP Database
MySQL Introduction
MySQL Connect
MySQL Create
MySQL Insert
MySQL Select
MySQL Where
MySQL Order By
MySQL Update
MySQL Delete
PHP ODBC
PHP Misc
PHP connection aborted Function
PHP Secure Email
PHP Email Injections
First, look at the PHP code from the previous chapter:
<html>
<body>
<?php
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
{
//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
else
//if "email" is not filled out, display the form
{
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
The problem with the code above is that unauthorized users can insert data into the mail headers via the input form.
PHP Stopping Email Injections
The best way to stop e-mail injections is to validate the input.
The code below is the same as in the previous chapter, but now we have added an input validator that checks the email field in the form:
<html>
<body>
<?php
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}
if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed
//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail("someone@example.com", "Subject: $subject",
$message, "From: $email" );
echo "Thank you for using our mail form";
}
}
else
{//if "email" is not filled out, display the form
echo "<form method='post' action='mailform.php'>
Email: <input name='email' type='text' /><br />
Subject: <input name='subject' type='text' /><br />
Message:<br />
<textarea name='message' rows='15' cols='40'>
</textarea><br />
<input type='submit' />
</form>";
}
?>
</body>
</html>
In the code above we use PHP filters to validate input:
* The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
* The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address