Comments on: Email Header Injection in PHP http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/ Web Development Blog Fri, 05 Sep 2008 21:55:21 +0000 http://wordpress.org/?v=2.0.2 by: Create a Contact Page Part II http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-33946 Sun, 31 Aug 2008 15:00:57 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-33946 [...] There are 3 functions we can use to validate the email address. These functions were originally written by Khalid Hanif and there is also more info on his blog post concerning these. The functions are [...] […] There are 3 functions we can use to validate the email address. These functions were originally written by Khalid Hanif and there is also more info on his blog post concerning these. The functions are […]

]]> by: Create a Contact Page Part I http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-33549 Sun, 24 Aug 2008 15:02:23 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-33549 [...] Once you’ve got an established blog you’ll most likely want a contact page with a contact form on it. Whilst there are a few plugins that do this for you, I tend to find that they either bloat your pages with additional CSS code in the header (CSS code should always be put in an external stylesheet whenever possible), badly written form markup, or probably the worst culprit, the PHP code doesn’t validate the information in the form to help prevent spam or email header injection. [...] […] Once you've got an established blog you'll most likely want a contact page with a contact form on it. Whilst there are a few plugins that do this for you, I tend to find that they either bloat your pages with additional CSS code in the header (CSS code should always be put in an external stylesheet whenever possible), badly written form markup, or probably the worst culprit, the PHP code doesn't validate the information in the form to help prevent spam or email header injection. […]

]]> by: George K. http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-31731 Mon, 14 Jul 2008 10:29:47 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-31731 I'm sorry. It's getting dark overhere and I mis-spelled my own name in the email address. Once again. First of all. No-one ever mentions the version of PHP as used. As a beginner on php I understand that there is a lot of difference between PHP4 and PJP5. Second. Why - in the example of this article a textarea is used for the From address. Wouldn't it be more safe to use a textfield with a lebgth of e.g. 30 characters? GHK I'm sorry. It's getting dark overhere and I mis-spelled my own name in the email address.
Once again.
First of all. No-one ever mentions the version of PHP as used. As a beginner on php I understand that there is a lot of difference between PHP4 and PJP5.
Second.
Why - in the example of this article a textarea is used for the From address. Wouldn't it be more safe to use a textfield with a lebgth of e.g. 30 characters?
GHK

]]> by: Graham http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-28026 Fri, 04 Apr 2008 06:41:38 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-28026 I have also found it useful to collect the IP address of people who respond using my forms and creating a list of IP addresses that attempt to break the sanitisation, and then: <code> $IP_addr = $_SERVER['REMOTE_ADDR']; $banlist = fopen("badIP.txt", "r"); $badips = ""; while ( $data = fgets($banlist) ) { $badips .= $data . ";"; } if ( strstr($badips, $IP_addr) ) die(); </code> I have also found it useful to collect the IP address of people who respond using my forms and creating a list of IP addresses that attempt to break the sanitisation, and then:


$IP_addr = $_SERVER['REMOTE_ADDR'];
$banlist = fopen("badIP.txt", "r");
$badips = "";
while ( $data = fgets($banlist) ) {
$badips .= $data . ";";
}
if ( strstr($badips, $IP_addr) ) die();

]]> by: Sys Admin Nexus » Blog Archive » Email Header Injection in PHP http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-9902 Mon, 04 Jun 2007 13:12:37 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-9902 [...] Taken from jellyandcustard.com [...] […] Taken from jellyandcustard.com […]

]]> by: Brain Goo » Blog Archive » PHP Header injection http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-7459 Mon, 21 May 2007 17:43:51 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-7459 [...] http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/ [...] […] http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/ […]

]]> by: Bernie Zimmermann http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-7229 Thu, 17 May 2007 06:36:23 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-7229 Thanks for the great article. I just found out today that spammers have been abusing my contact forms, so this was a great resource. I tweaked some of the functions a bit so they're a bit more logical, and fixed the regular expression for email validation since the one provided doesn't escape the "dots" correctly. I've posted a summary of the changes over at <a href="http://www.bernzilla.com/item.php?id=850" title="Avoiding Email Header Injection in PHP" rel="nofollow">my blog</a>. Thanks again! Thanks for the great article. I just found out today that spammers have been abusing my contact forms, so this was a great resource.

I tweaked some of the functions a bit so they're a bit more logical, and fixed the regular expression for email validation since the one provided doesn't escape the "dots" correctly.

I've posted a summary of the changes over at my blog.

Thanks again!

]]> by: schrose http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-4660 Tue, 10 Apr 2007 01:38:06 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-4660 Try this solution. http://beauford.vox.com/library/post/beaus-php-5-mail-logging-solution-for-windows-server-2003.html Try this solution.
http://beauford.vox.com/library/post/beaus-php-5-mail-logging-solution-for-windows-server-2003.html

]]> by: koolbenny http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-2509 Wed, 21 Feb 2007 16:33:19 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-2509 Thanks everybody, here's my final working script: http://benclarke.blogspot.com/2007/02/php-email-header-injection-prevention.html Thanks everybody, here's my final working script:
http://benclarke.blogspot.com/2007/02/php-email-header-injection-prevention.html

]]> by: Carpenter http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-1788 Fri, 26 Jan 2007 19:38:38 +0000 http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/#comment-1788 I think captcha or a math problem as along with $strip_html_tags handles it pretty well for me. I think captcha or a math problem as along with $strip_html_tags handles it pretty well for me.

]]>