In the PHP e-mail script in the previous section, there is a vulnerability.
First, look at the PHP code from the previous chapter:
<html><head><meta charset="utf-8"><title>Coder Tutorial (codercto.com)</title></head><body><?phpif (isset($_REQUEST['email' ])) { // If the email parameter is received, send an email // Send an email $email = $_REQUEST['email'] ; $subject = $_REQUEST['subject'] ; $message = $_REQUEST['message'] ; mail("[email protected]", $subject, $message, "From:" . $email); echo "Mail sent successfully";} else { // If there is no email parameter then Display form echo "<form method='post' action='mailform.php'> Email: <input name='email' type='text'><br> Subject: <input name='subject' type='text'><br> Message:<br> <textarea name='message' rows='15' cols='40'> </textarea><br> <input type='submit'> </form >";}?></body></html>
The problem with the above code is that unauthorized users can insert data in the email header through the input form.
What will happen if the user adds the following text to the email in the input box in the form?
[email protected]%0ACc:[email protected]%0ABcc:[email protected],[email protected],[email protected],[email protected]%0ABTo:[email protected]
As usual, the mail() function puts the above text into the email header, so the header now has additional Cc:, Bcc:, and To: fields. When the user clicks the submit button, this e-mail will be sent to all the addresses above!
The best way to prevent e-mail injection is to validate input.
The following code is similar to the one in the previous chapter, but here we have added an input validator to detect the email field in the form:
<html><head><meta charset="utf-8"><title>Coder Tutorial (codercto.com)</title></head><body><?phpfunction spamcheck($field){ // filter_var () Filter e-mail // Use FILTER_SANITIZE_EMAIL $field=filter_var($field, FILTER_SANITIZE_EMAIL); //filter_var() Filter e-mail // Use FILTER_VALIDATE_EMAIL if(filter_var($field, FILTER_VALIDATE_EMAIL)) { return TRUE; } else { return FALSE; }}if (isset($_REQUEST['email'])){ // If the email parameter is received, send the email // Determine whether the email is legal $mailcheck = spamcheck($_REQUEST['email']); if ($mailcheck==FALSE) { echo "Illegal input"; } else { // Send email $email = $_REQUEST['email'] ; $subject = $_REQUEST['subject'] ; $message = $_REQUEST[' message'] ; mail("[email protected]", "Subject: $subject", $message, "From: $email" ); echo "Thank you for using our mail form"; }}else{ // If there is no email parameter, display the form echo "<form method='post' action='mailform.php'> Email: <input name='email' type='text '><br> Subject: <input name='subject' type='text'><br> Message:<br> <textarea name='message' rows='15' cols='40'> </textarea><br> <input type='submit'> </form>";}?></body></html>
In the code above, we use a PHP filter to validate the input:
FILTER_SANITIZE_EMAIL filter removes illegal characters of email from string
FILTER_VALIDATE_EMAIL filter validates the value of an email address
You can read more about filters in our PHP Filter.