Hello,
I had the same problem. See the following article:
http://securephp.damonkohler.com/ind...mail_Injection
Here is what I did to fix the issue.
- created a file called email.php
PHP Code:
<?php
function sendEmail($to, $from, $subject, $message, $page) {
// filter and validate email
$from = filter($from);
if (!valid($from)) {
$from = 'admin@yourEmail.com';
$subject = "HACKING ATTEMPT";
}
// wordwrap message
$message = wordwrap($message, 70);
// build header
$header = "From: $from\n";
$header .= "X-Mailer: PHP/$page";
// send email
mail($to, $subject, $message, $header);
}
function filter($value) {
$pattern = array("/\n/","/\r/","/content-type:/i","/to:/i", "/from:/i", "/cc:/i", "/bcc:/i");
$value = preg_replace($pattern, "", $value);
return $value;
}
function valid($email) {
// copied from http://www.php.net/manual/en/function.eregi.php#52458
$atom = '[-a-z0-9!#$%&\'*+/=?^_`{|}~]'; // allowed characters for part before "at" character
$domain = '([a-z]([-a-z0-9]*[a-z0-9]+)?)'; // allowed characters for part after "at" character
$regex = '^' . $atom . '+' . // One or more atom characters.
'(\.' . $atom . '+)*' . // Followed by zero or more dot separated sets of one or more atom characters
'@' . // Followed by an "at" character.
'(' . $domain . '{1,63}\.)+' . // Followed by one or max 63 domain characters (dot separated).
$domain . '{2,63}' . // Must be followed by one set consisting a period of two
'$';
if (eregi($regex, $email)) {
return true;
} else {
return false;
}
}
?>
Then in my contact form, contact.php, I have (this is a very stripped down version):
PHP Code:
<?php
require("email.php");
if (!defined($_REQUEST['sent'])) {
print '
<form name="" method="post">
<input type="text" name="email"/><br/>
<textarea name="note" rows="5" cols="50"></textarea>
<input type="hidden" name="sent" value="1"/>
</form>';
} else {
// You can validate entries here, if you like
// Send the email
sendEmail('your@emailHere.com', $_REQUEST{'email'}, 'Your Subject Here', $_REQUEST{'note'}, 'contact');
}
?>
The 'contact' is just a string that I use to say which page it came from, for tracking purposes. I just use the form to submit a contact email, but you could modify it to filter and validate the To address as well.
HTH.
-Eric
Linear Mode
