View Full Version : Wierd Form Input

02-09-2006, 11:26 PM

On my site I have a form to send E-mail to me. Also, it can add you to my mailing list.

Recently I have been getting wierd stuff from it, for example:


X-Mailer: PHP/4.3.11

From: roof5473@the-ballet.com roof5473@the-ballet.com ( days
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: tree boughs, the swings fly
bcc: charleses3229@aol.com



I'm not sure if someone's trying to put HTML into the form or if they're trying to hack the database. Anyone have any ideas?

Also, can someone point me in the direction of a script or instructions on how to prevent this?

02-09-2006, 11:46 PM
I've had them before as well, I think it might just be bots crawling yoour site and trying to spam away.

02-10-2006, 01:12 AM
someone is probably using your form to send spam ... google for `header injection` for more info & workarounds

02-10-2006, 02:42 AM

I'm googling now. I'll post a solution if I find one.

02-11-2006, 05:54 AM
So, I found a great resource that explains header injection and how to start fixing it:http://securephp.damonkohler.com/index.php/Email_Injection

I also found another page where the guy actually automatically blocks IP's that attempt to perform header injection on his form:http://randomfoo.net/blog/id/4014
Notice how he uses a different method of recognizing the attack.

I believe that by combining advice from the two pages a lot can be done. I have taken action and will see how well it works.


02-11-2006, 07:20 AM
cool, I just today found out an old form of mine was being targeted via header injection :( luckily I receive a copy of all mails for that form so I found out pretty quick ... a bit emarrassing though ... guess I better go check all the other forms I made before I started to consider these types of attack.

Spammers ...
may the fleas of a thousand Camels infest thier ********

02-11-2006, 09:48 AM
You might also be interested in the following links:

Also, in the most recent php architect (http://phparch.com/issue.php?mid=72) Chris Shiflett writes about the problem.

it's a serious problem because these bots try (and can succeed) in sending hundreds or thousands of spam mails from your domain. You even risk being banned by your host or other parties for sending the spam.

There are many solutions out there but they all basicly are: filter your input well. make sure the data you process is the kind you want and in this case prevent any newlines from being injected in the headers of the mail() function.

The best solution in my opinion is to place normal input validation specific to each form field in your script (like checking for alpha-numeric usernames, numeric telephone numbers, valid emailaddresspattern with a solid regex, etc) and then on top of that you can use a very easy to use php function as a defense in depth measure: ctype_print(). Like the example Chris gives:

$clean = array();
$email_pattern = ‘/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i’;
if (preg_match($email_pattern, $_POST[‘email’]))
$clean[‘email’] = $_POST[‘email’];

if (ctype_print($clean[‘email’])) {
// email does not contain newlines or carriage returns.

Of course, you can replace the email pattern with your own/ some other.
I think that's a better solution then trying to block IP's (which aren't that reliable)

02-18-2006, 07:50 PM
So, I have been keeping track of the injection attempts on my script. Is there someone I can report this to? Like a law enforcement agency or something? My script is no longer sending spam but someone's trying to, and it's using my server resources.

Also, can someone point me to a page about preventing similar style attacks on my database? ie. I don't want anyone entering 'DROP DATABASE' or something similar into a field that would usually be used to add a record to the database.

Would simply doing a search for semicolons and killing the script if they're found, (like I have done for new lines to prevent header injection), be sufficient?


02-18-2006, 07:58 PM
Is there someone I can report this to? Like a law enforcement agency or something?

See if you can find the IPs of people/bots trying to use your form. Also any other data possible that might help track down, e.g time, date, etc etc

Then do an IP lookup and you should be able to find an abuse email for the ISP, get in touch with them.

Supplying any evidence and the data I suggested should help

02-18-2006, 09:30 PM
I've got IP's, so I'll see what I can do.

02-19-2006, 02:29 AM
Would simply doing a search for semicolons and killing the script if they're found, (like I have done for new lines to prevent header injection), be sufficient?

problem is that there are often semicolons in legitimate input as well...
that said if you are using MySQL then the common semicolon attack will not work since MySQL does not do chained queries in the same way that SQLserver etc do so this wont work in mysql (v3 & v4 , unsure about v5)

mysql_query("SELECT * FROM users WHERE id={$_GET['id']}");

So with the above & using MySQL anything after the semicolon is ignored.
in SQL server if the syntax is correct its possible that the second statement will work.

Ideally above you would either check that $_GET['id'] is an int (since thats what you are expecting) and exit if a string is passed , or cast to an int() which makes the query safe but might upset your query.

However , its still possible to inject into the above query ...

mysql_query("SELECT * FROM users WHERE id={$_GET['id']}");

MySQL allows you to wrap integers in single quotes WHERE id='{$_GET['id']}'
this in itself makes your query safer, so whilst its mysql specific , use it ! ... but note that without addslashes/mysql_real_escape_string/magic_quotes etc going on its still vunerable.

02-19-2006, 02:32 AM
Hmmm. I think I'll be ok then - I use addslashes pretty much everywhere, although I should check it.