Click here to Skip to main content

Linux, Apache, MySQL, PHP

 
GeneralRe: where to start for create a chat system in php? Pinmemberenhzflep15-Jul-12 1:07 
GeneralRe: where to start for create a chat system in php? PinmemberBobJanova17-Jul-12 4:47 
QuestionWritng a non-database specific code in PHP Pinmemberawedaonline11-Jul-12 4:12 
AnswerRe: Writng a non-database specific code in PHP PinmemberPeter_in_278011-Jul-12 13:30 
GeneralRe: Writng a non-database specific code in PHP Pinmemberawedaonline13-Jul-12 5:26 
AnswerRe: Writng a non-database specific code in PHP Pingroupsali2212-Jul-12 19:13 
GeneralRe: Writng a non-database specific code in PHP Pinmemberawedaonline13-Jul-12 5:27 
QuestionProtecting PHP Mailing PinmemberMike-MadBadger6-Jul-12 13:44 
Ah the joys, 9 million pieces of advice, guidance and code and not one agrees with another.

So I spent some time reading around and checking out the source for PEAR Mail and PHP Mailer and this is what I've managed to surmise - bearing in mind I am a beginner in most things and definitely in PHP, regex etc. (and essentially at zero when it comes to RFC822, SMTP etc. etc.)

What I really want to understand (rather than simply solve) is how to best protect a web contact form from being used maliciously.

Based on my limited understanding, one approach might be this - so, is it good, bad, misleading, wrong or (and this would be a surprise) not half bad?

1/ First use filter_var twice, once with FILTER_SANITIZE_EMAIL and then FILTER_VALIDATE_EMAIL on the from address only (since we supply the to address)

2/ Optionally use the PHP Mailer regex as belt and braces, again on the from address only ->
return preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $address);
3/ Optionally test user data such as subject, name etc. (anything that goes in the header) with the regex from phundamentals ->
function safe( $name ) {return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );}

4/ Then build the headers array and use string replacement or preg_replace to remove line endings
5/ This could be as simple as the PHP Mailer string replace -> ("\r", "\n") or the more 'complex' PEAR Mail preg_replace ->
=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i
which appears to define extra descriptions of an EOL - for PHP v5+, could use str_ireplace instead of preg_replace

For reference here are the notes I made that led to my uninformed and speculative ideas above:

// Functions found from various sources

// www.nyphp.org/phundamentals/8_Preventing-Email-Header-Injection
// Pattern for filtering email addresses       --  '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'
// Pattern for filtering fields such as names  --  '/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i'
function safe( $name ) {return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );}
 
// www.dreamincode.net/forums/topic/228389-preventing-php-mail-header-injections/
$reply_to = filter_var($reply_to, FILTER_VALIDATE_EMAIL);  if(!$reply_to) {...}
function sanitize(&$array) { foreach($array as &$data) $data = str_replace(array("\r", "\n", "%0a", "%0d"), '', stripslashes($data)); } } 
 

// PHP Mailer
// code.google.com/a/apache-extras.org/p/phpmailer/source/browse/trunk/class.phpmailer.php
// interesting to note that only FILTER_VALIDATE_EMAIL is used, FILTER_SANITIZE_EMAIL is not used
if (function_exists('filter_var')) { //Introduced in PHP 5.2
    if(filter_var($address, FILTER_VALIDATE_EMAIL) === FALSE) {
        return false;
    } else {
        return true;
    }
} else { 
    return preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $address);
}
public function SecureHeader($str) { return trim(str_replace(array("\r", "\n"), '', $str)); } 
 

// PEAR Mail
function _sanitizeHeaders(&$headers)
{
    foreach ($headers as $key => $value) {
         $headers[$key] = preg_replace('=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i', null, $value);
    }
}

Mike
AnswerRe: Protecting PHP Mailing PinmemberBobJanova12-Jul-12 0:49 
GeneralRe: Protecting PHP Mailing PinmemberMike-MadBadger13-Jul-12 23:05 
GeneralRe: Protecting PHP Mailing PinmemberBobJanova17-Jul-12 4:42 
GeneralRe: Protecting PHP Mailing PinmemberMike-MadBadger19-Jul-12 7:58 
Generalwhy does this not work? [modified] Pinmembergeoman298z6-Jul-12 8:29 
AnswerRe: why does this not work? PinmvpLuc Pattyn6-Jul-12 11:49 
AnswerRe: why does this not work? Pinmembernirangad12-Jul-12 1:36 
GeneralRe: why does this not work? Pingroupsali2212-Jul-12 19:18 
GeneralDatabase Question [modified] PinmemberBaddy_Bad_Boy6-Jul-12 1:59 
AnswerRe: QT Question PinmvpRichard MacCutchan6-Jul-12 2:19 
Questionpdo php PinmemberAndyInUK5-Jul-12 8:11 
GeneralRe: pdo php PinmemberAgecanonix6-Jul-12 9:46 
Questionamazon product advertise Api PinmemberMember 915215621-Jun-12 21:39 
AnswerRe: amazon product advertise Api PinmemberCodingLover2-Jul-12 17:06 
Questionload page on scrolling in phpweb site by using jquery PinmemberMember 915215621-Jun-12 19:11 
AnswerRe: load page on scrolling in phpweb site by using jquery PinmemberPeter_in_278021-Jun-12 19:20 
GeneralRe: load page on scrolling in phpweb site by using jquery PinmemberMember 915215621-Jun-12 19:39 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.


Advertise | Privacy | Mobile
Web03 | 2.8.150414.1 | Last Updated 15 Apr 2015
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid