Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    mypointofview
    Guest

    How to prevent attacks - Verification procedure in email forms

    Hi all, I'd like to continue the discussion about a very interesting snippet of php code, posted by MCDOUGALS4ALL here.

    His code prevents malicious email injection

    I'm currently using an email form that verifies the correct email address however with a Java Script. So, nomatter what "bad stuff" I'd enter into the email field (like "BCC"), the JavaScript pops up a window, requesting to write a "correct" email address.

    The only way to really see the php based email injection filter working in action was for me to disable my JavaScript.

    So -- now I'm wondering -- wasn't my JavaScript verification procedure good enough? I mean, can it be hacked perhaps? (since it can be seen in the source of my html)

    Code:
    <script language="JavaScript" type="text/javascript">
    
    function check(form){
    
     if (form.visitorName.value == "") {
       alert("Please enter your name.");
       form.visitorName.focus();
       return false;
     }
     else if (form.visitorPhone.value == "") {
       alert("Please enter your phone number.");
       form.visitorPhone.focus();
       return false;
     }
     else if (form.visitorEmail.value == "") {
       alert("Please enter your email.");
       form.visitorEmail.focus();
       return false;
     }
     else if(!(/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(form.visitorEmail.value))){
       alert("Please enter a valid email address.");
       form.visitorEmail.focus();
       return false;
       }
     else if (form.comments.value == "") {
       alert("Please enter a comment/question.");
       form.comments.focus();
       return false;
     }
    else{
    return true;
    }
    }
    
    </script>
    
    <form method="post" onSubmit="return check(this);">
    
    [...]
    
    </form>

    Martin
    Last edited by mypointofview; 09-11-2005 at 07:59 AM.

  • #2
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Not so much that it didnt do the job, but the fact is, JavaScript can be disabled, and if that happened you have no authentication. I make it a rule to use JS for "friendly" notifications (if at all), but all the serious checking should be done server side.

  • #3
    Regular Coder
    Join Date
    Apr 2004
    Posts
    682
    Thanks
    24
    Thanked 1 Time in 1 Post
    Well I tried modifying that funtion so it would also not allow spaces in betwen the headers such as.. "content - type, content- type, content - type" etc..... but it always seems to return as an error; i'm still a relative n00b to reg expressions so maybe I screwed up somewhere..

    PHP Code:
    function email_injection_filter($formInput)
      {
      
    $injectionStrings = array("apparently-to",
                                
    "bcc",
                                
    "boundary=",
                                
    "charset",
                                
    "content-disposition",
                                
    "content-type",
                                
    "content-transfer-encoding",
                                
    "errors-to",
                                
    "in-reply-to",
                                
    "message-id",
                                
    "mime-version",
                                
    "multipart/mixed",
                                
    "multipart/alternative",
                                
    "multipart/related",
                                
    "reply-to",
                                
    "x-mailer",
                                
    "x-sender",
                                
    "x-uidl"
                                
    );
      foreach (
    $injectionStrings as $spam)
        {
        
    $pos strpos(strtolower($formInput), $spam);
        if (
    $pos !== false)
          {
          
    error_log(...);
          exit(
    "<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p></body></html>");
          }
        }
    // New Section starts here
        
    foreach ($injectionStrings as $spam) {
            if (
    strpos($spam'-') !== false) {
              
    $parts explode('-'$spam);
              
    $pcount count($parts);
              
    $acheck $pcount -1;
              
    $i 0;
                  foreach (
    $parts as $part) {
                      if (
    $i == 0) {  
                          
    $string .= '/' $part ' *\- *';
                        } elseif (
    $i == $acheck) {
                          
    $string .= $part '/';
                        } else {
                          
    $string .= $part ' *\- *';
                        }
                    
    $i++;
                  }
                  if (
    preg_match($stringstrtolower($formInput)) !== false) {
                    
    error_log(...);
                    exit(
    "<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p></body></html>");
                  }
            } elseif (
    strpos($spam'/') !== false) {
              
    $parts explode('/'$spam);
              
    $pcount count($parts);
              
    $acheck $pcount -1;
              
    $i 0;
                  foreach (
    $parts as $part) {
                      if (
    $i == 0) {  
                          
    $string .= '/' $part ' *\/ *';
                        } elseif (
    $i == $acheck) {
                          
    $string .= $part '/';
                        } else {
                          
    $string .= $part ' *\/ *';
                        }
                    
    $i++;
                  }
                  if (
    preg_match($stringstrtolower($formInput)) !== false) {
                    
    error_log(...);
                    exit(
    "<html><title>Fatal Error</title><body><p>We're sorry, your message could not be processed due to a fatal error.</p></body></html>");
                  }
              
            }
        }
      } 

  • #4
    Regular Coder
    Join Date
    Jun 2003
    Location
    Silicon Forest
    Posts
    155
    Thanks
    0
    Thanked 5 Times in 5 Posts
    This is the function I threw together from RegExLib for some server side checking on emails. Haven't had a problem with it yet.

    PHP Code:
    function is_email($email)
    {
     if (
    preg_match("#^(([A-Za-z0-9]+_+)|([A-Za-z0-9]+\-+)|([A-Za-z0-9]+\.+)|([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+)|(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$#"$email)) {
         return 
    true;
     }
     else
     {
         return 
    false;
     }
     


    EDIT: I guess I totally misread this thread, I thought you were trying to stop people from thowing in extra headers in the email. Although with a bit of work you could make a Regex function that quickly parses a message for flagged items. Plus you should still use this function for server side checking of email addresses in case people bypass your javascript checking.
    Last edited by CrzySdrs; 09-12-2005 at 11:24 PM.
    Whats the point of a signature?

  • #5
    Regular Coder
    Join Date
    Jun 2003
    Location
    Silicon Forest
    Posts
    155
    Thanks
    0
    Thanked 5 Times in 5 Posts
    I figure this solution is a little more elegant to checking for injections.

    PHP Code:
    function CheckInjection($text)
    {
       if (
    preg_match('#(apparently\s*-\s*to)|(bcc)|(boundary)|(charset)|(content\s*-\s*disposition)|(content\s*-\s*type)|(content\s*-\s*transfer\s*-\s*encoding)|(errors\s*-\s*to)|(in\s*-\s*reply\s*-\s*to)|(message\s*-\s*id)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)#is',$text))
          {
             return 
    true;
          }
          else
          {
             return 
    false;
          }

    May want to try and play around with it before putting it into production though, since I just threw it together now, I know my way around regex's pretty well. This will check for whitespaces around the "-"'s and "/"'s like your function. I admit I don't know much about the syntax of email headers, so if there is something I am missing, I could probably modify it.
    Whats the point of a signature?

  • #6
    Senior Coder
    Join Date
    Oct 2003
    Location
    Australia
    Posts
    1,963
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Macintosh Solution for n00bs

    A couple of the small sites I maintain have suffered email injection attacks recently, so I've thrown together an all in one solution with the aim of making it as painless as possible for the developer and still informative to the user [ie: no die() calls ].

    Suggestions for optimization are very welcome as this is something I've just thrown together on a sunday afternoon with a little bit of help in the way of the above regexps

    Simple Safe Contact form demo


    Source
    Last edited by mindlessLemming; 09-25-2005 at 10:35 AM.

    I take no responsibility for the above nonsense.


    Left Justified


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •