Click here to Skip to main content
12,445,274 members (57,012 online)

Linux, Apache, MySQL, PHP

 
GeneralRe: where to start for create a chat system in php? Pin
enhzflep15-Jul-12 0:07
memberenhzflep15-Jul-12 0:07 
GeneralRe: where to start for create a chat system in php? Pin
BobJanova17-Jul-12 3:47
memberBobJanova17-Jul-12 3:47 
QuestionWritng a non-database specific code in PHP Pin
awedaonline11-Jul-12 3:12
memberawedaonline11-Jul-12 3:12 
AnswerRe: Writng a non-database specific code in PHP Pin
Peter_in_278011-Jul-12 12:30
memberPeter_in_278011-Jul-12 12:30 
GeneralRe: Writng a non-database specific code in PHP Pin
awedaonline13-Jul-12 4:26
memberawedaonline13-Jul-12 4:26 
AnswerRe: Writng a non-database specific code in PHP Pin
sali2212-Jul-12 18:13
groupsali2212-Jul-12 18:13 
GeneralRe: Writng a non-database specific code in PHP Pin
awedaonline13-Jul-12 4:27
memberawedaonline13-Jul-12 4:27 
QuestionProtecting PHP Mailing Pin
Mike-MadBadger6-Jul-12 12:44
memberMike-MadBadger6-Jul-12 12:44 
Ah the joys, 9 million pieces of advice, guidance and code and not one agrees with another.

So I spent some time reading around and checking out the source for PEAR Mail and PHP Mailer and this is what I've managed to surmise - bearing in mind I am a beginner in most things and definitely in PHP, regex etc. (and essentially at zero when it comes to RFC822, SMTP etc. etc.)

What I really want to understand (rather than simply solve) is how to best protect a web contact form from being used maliciously.

Based on my limited understanding, one approach might be this - so, is it good, bad, misleading, wrong or (and this would be a surprise) not half bad?

1/ First use filter_var twice, once with FILTER_SANITIZE_EMAIL and then FILTER_VALIDATE_EMAIL on the from address only (since we supply the to address)

2/ Optionally use the PHP Mailer regex as belt and braces, again on the from address only ->
return preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $address);
3/ Optionally test user data such as subject, name etc. (anything that goes in the header) with the regex from phundamentals ->
function safe( $name ) {return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );}

4/ Then build the headers array and use string replacement or preg_replace to remove line endings
5/ This could be as simple as the PHP Mailer string replace -> ("\r", "\n") or the more 'complex' PEAR Mail preg_replace ->
=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i
which appears to define extra descriptions of an EOL - for PHP v5+, could use str_ireplace instead of preg_replace

For reference here are the notes I made that led to my uninformed and speculative ideas above:

// Functions found from various sources

// www.nyphp.org/phundamentals/8_Preventing-Email-Header-Injection
// Pattern for filtering email addresses       --  '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'
// Pattern for filtering fields such as names  --  '/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i'
function safe( $name ) {return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );}
 
// www.dreamincode.net/forums/topic/228389-preventing-php-mail-header-injections/
$reply_to = filter_var($reply_to, FILTER_VALIDATE_EMAIL);  if(!$reply_to) {...}
function sanitize(&$array) { foreach($array as &$data) $data = str_replace(array("\r", "\n", "%0a", "%0d"), '', stripslashes($data)); } } 
 

// PHP Mailer
// code.google.com/a/apache-extras.org/p/phpmailer/source/browse/trunk/class.phpmailer.php
// interesting to note that only FILTER_VALIDATE_EMAIL is used, FILTER_SANITIZE_EMAIL is not used
if (function_exists('filter_var')) { //Introduced in PHP 5.2
    if(filter_var($address, FILTER_VALIDATE_EMAIL) === FALSE) {
        return false;
    } else {
        return true;
    }
} else { 
    return preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $address);
}
public function SecureHeader($str) { return trim(str_replace(array("\r", "\n"), '', $str)); } 
 

// PEAR Mail
function _sanitizeHeaders(&$headers)
{
    foreach ($headers as $key => $value) {
         $headers[$key] = preg_replace('=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i', null, $value);
    }
}

Mike
AnswerRe: Protecting PHP Mailing Pin
BobJanova11-Jul-12 23:49
memberBobJanova11-Jul-12 23:49 
GeneralRe: Protecting PHP Mailing Pin
Mike-MadBadger13-Jul-12 22:05
memberMike-MadBadger13-Jul-12 22:05 
GeneralRe: Protecting PHP Mailing Pin
BobJanova17-Jul-12 3:42
memberBobJanova17-Jul-12 3:42 
GeneralRe: Protecting PHP Mailing Pin
Mike-MadBadger19-Jul-12 6:58
memberMike-MadBadger19-Jul-12 6:58 
Generalwhy does this not work? Pin
geoman298z6-Jul-12 7:29
membergeoman298z6-Jul-12 7:29 
AnswerRe: why does this not work? Pin
Luc Pattyn6-Jul-12 10:49
mvpLuc Pattyn6-Jul-12 10:49 
AnswerRe: why does this not work? Pin
nirangad12-Jul-12 0:36
membernirangad12-Jul-12 0:36 
GeneralRe: why does this not work? Pin
sali2212-Jul-12 18:18
groupsali2212-Jul-12 18:18 
GeneralDatabase Question Pin
Baddy_Bad_Boy6-Jul-12 0:59
memberBaddy_Bad_Boy6-Jul-12 0:59 
AnswerRe: QT Question Pin
Richard MacCutchan6-Jul-12 1:19
mvpRichard MacCutchan6-Jul-12 1:19 
Questionpdo php Pin
AndyInUK5-Jul-12 7:11
memberAndyInUK5-Jul-12 7:11 
GeneralRe: pdo php Pin
Agecanonix6-Jul-12 8:46
memberAgecanonix6-Jul-12 8:46 
Questionamazon product advertise Api Pin
Member 915215621-Jun-12 20:39
memberMember 915215621-Jun-12 20:39 
AnswerRe: amazon product advertise Api Pin
CodingLover2-Jul-12 16:06
memberCodingLover2-Jul-12 16:06 
Questionload page on scrolling in phpweb site by using jquery Pin
Member 915215621-Jun-12 18:11
memberMember 915215621-Jun-12 18:11 
AnswerRe: load page on scrolling in phpweb site by using jquery Pin
Peter_in_278021-Jun-12 18:20
memberPeter_in_278021-Jun-12 18:20 
GeneralRe: load page on scrolling in phpweb site by using jquery Pin
Member 915215621-Jun-12 18:39
memberMember 915215621-Jun-12 18:39 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.


Advertise | Privacy | Mobile
Web01 | 2.8.160811.3 | Last Updated 19 Aug 2016
Copyright © CodeProject, 1999-2016
All Rights Reserved. Terms of Service
Layout: fixed | fluid