Question

A client contacted us worried about some recent attempts to abuse the contact us form on her site. Apparently, someone tried to write some code in the message field, most likely, it was an attempt to use the back end script for spam email purposes (email injection using those funky headers).

Currently, the security in place is a JavaScript file that validates the form before it is submitted. There isn't really any checking in the back end.

So, I added some validation in the back end, just some simple stuff, like:

 $namePattern = '/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i';
 $emailPattern = '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';
 $phonePattern = '[0-9\.\-]';
 $array = $_POST;
 //This is the first line of defense.
 if (!preg_match ($namePattern, $array['c_firstname']){
    die ("Please go back and enter a correct first name");  
 }
 ...More if statements to check other fields. 
 //The second line of defense.
 function remove($name){
     return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), " Something Replaced ", $name ) ); 
}
  $array['c_date'] = remove ($array['c_date']);
  //Check the rest of the array.

Sorry, if there is something wrong with my logic or my syntax, I haven't actually tested the above yet (since the site is live, I wanted to get as much of the code written as possible before testing).

Is the above enough of a security check? Did I get the pattern checks right (I mostly just copied other peoples patterns because I don't totally understand the notation).

This particular mail form uses Zend Mail, so in theory, it's a bit more secure than regular PHP mail, I think.

Also, this isn't that important, but if someone has the time, could you teach me how to cycle through the array and assign a new value to each element (i.e. instead of writing $array['c_date'] = remove ($array['c_date']); several times, a simple function or something that does the job for me.

Thanks a lot for the help, have a good day!

No correct solution

OTHER TIPS

Generally speaking the key is to ensure that anything coming from user input is not executed. Providing your code generating the email is encoding all the user input then there shouldn't be too many problems.

Pattern matching input can't hurt (unless you specifically want users to be able to enter particular values like html code).

Personally, I would re-assure the client that any script/code inserted to their form isn't executed, and isn't harmful unless executed.

Simply properly sanitize your input should be enough. Use htmlspecialchars() or htmlentities(), You can also strip out any < or > characters, that should be enough.

The most frequent problem with mail forms comes from bad code samples lying around on the web in which the destination email is taken from a hidden field in the form, which allows attackers to replace that email and use the server as a spam hub.

Just make sure the email does not come user input. For the rest, the worst that can happen is that you will receive spam, just will just happen anyway if you want people to contact you.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top