On Sun, Nov 21, 2010 at 12:02 PM, Gary <gpaul@xxxxxxxxxxxxxxxx> wrote:
> I have been testing various scripts to kill email injection attacks. I
> adapted this script and it seems to work well. Does anyone see any issues
> with this?
>
> <?php
> $newlinecounter = 0;
> foreach($_POST as $key => $val_newline){
> if(stristr($val_newline, '\r')){$newlinecounter++;}
> if(stristr($val_newline, '\n')){$newlinecounter++;}
> if(stristr($val_newline, '\\r')){$newlinecounter++;}
> if(stristr($val_newline, '\\n')){$newlinecounter++;}
> if(stristr($val_newline, '\r\n')){$newlinecounter++;}
> if(stristr($val_newline, '\\r\\n')){$newlinecounter++;}
> if(stristr($val_newline, 'Bcc')){$newlinecounter++;}
> }
> if ($newlinecounter >= 1){ die('die scum die');
> }
>
> ?>
>
> Thank you,
> Gary
>
Hi Gary,
There are issues with this approach (one being that checking all POST fields
non-discriminately will lead to false positives, as the body/message of an
email can contain new line characters without issue.)
I'd suggest using Zend's Email capabilities. You just upload the framework
to your site, add it to your include path, and then you can even use SMTP
email capabilities through an account such as gmail or another email
provider, which is much better than using the general mail() function,
anyway. And, you have all the security benefits.
Here's a link to Zend's Mail class documentation:
http://framework.zend.com/manual/en/zend.mail.html
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
