How to test for email injection

mathew_ · 07-22-2011, 12:35 PM

I'm using the php mail function and I have a form with the name field, phone field, email field and message field which is a text area. The email field (along with the name and phone field) displays in the message and isn't used to send an email to that address. The To: fields and subject: fields and From: header are static in the script and is designed to always be the same.

I was recently trying to try email injection to my own script so I can then know if my preventative measures are working or not.

I've tried putting in the fields %0ATo:mysecondemailaddress@provider.com and also %0ACc:mysecondemailaddress@provider.com, but the email doesn't even send to the proper email address at all. I was just wondering what is the correct method to do this, and also when I am using preventative methods such as identifying strings and either removing them or denying the email from being sent what characters such as % should I also be on the look out for?

Ps: I am going to put a captcha in the scrpt. So this is for protection against malicious users.

_____
Edit: Ok heres the code

PHP Code:


			
if (!empty($_REQUEST['email']))

{

    $name = $_REQUEST['name'];

    $phone = $_REQUEST['phone'];

    $email = $_REQUEST['email'] ;

    $message = $_REQUEST['message'] ;

    $message = "<html>

<head>

<title>Email Message</title>

</head>

<body>

<table border='1'>

<tr>

<th>Name:</th>

<th>Phone:</th>

<th>Email:</th>

<th>Message:</th>

</tr>

<tr>

<td>$name</td>

<td>$phone</td>

<td>$email</td>

<td>$message</td>

</tr>

</table>

</body>

</html>

";



$headers = "MIME-Version: 1.0" . "\r\n";

$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";



$headers .= 'From: <mail@website.com>' . "\r\n";

    mail($email, "Contact form submitted",

    $message, $headers);

    header ("Location: contact.php");

    exit;

    }

 ?>

<form method="post" action="contact.php">

<table>

    <tr>

        <td class="leftside">Name:</td>

        <td class="rightside"><input style="width:400px;" type="text" name="name" /></td>

    </tr>

    <tr>

        <td class="leftside">Phone:</td>

        <td class="rightside"><input style="width:400px;" type="text" name="phone" /></td>

    </tr>

    <tr>

        <td class="leftside"><b>*Email:</b></td>

        <td class="rightside"><input style="width:400px;" type="text" name="email" /></td>

    </tr>

    <tr>

        <td class="leftside">Message:</td>

        <td class="rightside"><textarea style="width:400px;height:300px;" name="message"></textarea></td>

    </tr>

    <tr>

//Captcha not implemented yet

        <td class="leftside">Captcha:<br />

             <br />

          Type in the text in the image above (not case-sensitve)</td>

        <td class="rightside"><input style="width:400px;" type="text" name="captcha" /></td>

    </tr>

    <tr>

        <td colspan="2">Fields marked with an asterix(*) or are bold are required. 

The CAPTCHA image must be matched.</td>

    </tr>

    <tr>

        <td colspan="2"><br /><input type="submit" value="Submit Form"/></td>

    </tr>

</table>

</form>

BluePanther · 07-22-2011, 12:58 PM

Could you maybe show us your code? Can't really make an educated decision without seeing what you're doing at the moment

Stockmonster · 07-23-2011, 01:02 PM

The true way to avoid email injections

Code:

<?php

/**
*
* @strip injection chars from email headers
*
* @param string $string
*
* return string
*
*/

$from = $_POST['from'];

function safeEmail($string) {
return preg_replace( '((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' , '', $string );
}

/*** example usage ***/

if(strlen($from) < 100)
{
$from = safeEmail($from);
}

echo "$from";


?>