Click here to Skip to main content
13,002,169 members (83,463 online)

Linux, Apache, MySQL, PHP

 
Generalwhere to start for create a chat system in php? Pin
desatir731612-Jul-12 5:52
memberdesatir731612-Jul-12 5:52 
GeneralRe: where to start for create a chat system in php? Pin
desatir731612-Jul-12 8:16
memberdesatir731612-Jul-12 8:16 
AnswerRe: I found sth Pin
desatir731612-Jul-12 9:01
memberdesatir731612-Jul-12 9:01 
GeneralRe: where to start for create a chat system in php? Pin
AndyInUK13-Jul-12 3:05
memberAndyInUK13-Jul-12 3:05 
GeneralRe: where to start for create a chat system in php? Pin
BobJanova13-Jul-12 4:53
memberBobJanova13-Jul-12 4:53 
GeneralRe: where to start for create a chat system in php? Pin
desatir731614-Jul-12 23:35
memberdesatir731614-Jul-12 23:35 
GeneralRe: where to start for create a chat system in php? Pin
enhzflep15-Jul-12 0:07
memberenhzflep15-Jul-12 0:07 
GeneralRe: where to start for create a chat system in php? Pin
BobJanova17-Jul-12 3:47
memberBobJanova17-Jul-12 3:47 
QuestionWritng a non-database specific code in PHP Pin
awedaonline11-Jul-12 3:12
memberawedaonline11-Jul-12 3:12 
AnswerRe: Writng a non-database specific code in PHP Pin
Peter_in_278011-Jul-12 12:30
memberPeter_in_278011-Jul-12 12:30 
GeneralRe: Writng a non-database specific code in PHP Pin
awedaonline13-Jul-12 4:26
memberawedaonline13-Jul-12 4:26 
AnswerRe: Writng a non-database specific code in PHP Pin
sali2212-Jul-12 18:13
groupsali2212-Jul-12 18:13 
GeneralRe: Writng a non-database specific code in PHP Pin
awedaonline13-Jul-12 4:27
memberawedaonline13-Jul-12 4:27 
QuestionProtecting PHP Mailing Pin
Mike-MadBadger6-Jul-12 12:44
memberMike-MadBadger6-Jul-12 12:44 
Ah the joys, 9 million pieces of advice, guidance and code and not one agrees with another.

So I spent some time reading around and checking out the source for PEAR Mail and PHP Mailer and this is what I've managed to surmise - bearing in mind I am a beginner in most things and definitely in PHP, regex etc. (and essentially at zero when it comes to RFC822, SMTP etc. etc.)

What I really want to understand (rather than simply solve) is how to best protect a web contact form from being used maliciously.

Based on my limited understanding, one approach might be this - so, is it good, bad, misleading, wrong or (and this would be a surprise) not half bad?

1/ First use filter_var twice, once with FILTER_SANITIZE_EMAIL and then FILTER_VALIDATE_EMAIL on the from address only (since we supply the to address)

2/ Optionally use the PHP Mailer regex as belt and braces, again on the from address only ->
return preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $address);

3/ Optionally test user data such as subject, name etc. (anything that goes in the header) with the regex from phundamentals ->
function safe( $name ) {return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );}


4/ Then build the headers array and use string replacement or preg_replace to remove line endings
5/ This could be as simple as the PHP Mailer string replace -> ("\r", "\n") or the more 'complex' PEAR Mail preg_replace ->
=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i
which appears to define extra descriptions of an EOL - for PHP v5+, could use str_ireplace instead of preg_replace

For reference here are the notes I made that led to my uninformed and speculative ideas above:

// Functions found from various sources
 
// www.nyphp.org/phundamentals/8_Preventing-Email-Header-Injection
// Pattern for filtering email addresses       --  '/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'
// Pattern for filtering fields such as names  --  '/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i'
function safe( $name ) {return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $name ) );}
 
// www.dreamincode.net/forums/topic/228389-preventing-php-mail-header-injections/
$reply_to = filter_var($reply_to, FILTER_VALIDATE_EMAIL);  if(!$reply_to) {...}
function sanitize(&$array) { foreach($array as &$data) $data = str_replace(array("\r", "\n", "%0a", "%0d"), '', stripslashes($data)); } } 
 

// PHP Mailer
// code.google.com/a/apache-extras.org/p/phpmailer/source/browse/trunk/class.phpmailer.php
// interesting to note that only FILTER_VALIDATE_EMAIL is used, FILTER_SANITIZE_EMAIL is not used
if (function_exists('filter_var')) { //Introduced in PHP 5.2
    if(filter_var($address, FILTER_VALIDATE_EMAIL) === FALSE) {
        return false;
    } else {
        return true;
    }
} else { 
    return preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $address);
}
public function SecureHeader($str) { return trim(str_replace(array("\r", "\n"), '', $str)); } 
 

// PEAR Mail
function _sanitizeHeaders(&$headers)
{
    foreach ($headers as $key => $value) {
         $headers[$key] = preg_replace('=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i', null, $value);
    }
}


Mike
AnswerRe: Protecting PHP Mailing Pin
BobJanova11-Jul-12 23:49
memberBobJanova11-Jul-12 23:49 
GeneralRe: Protecting PHP Mailing Pin
Mike-MadBadger13-Jul-12 22:05
memberMike-MadBadger13-Jul-12 22:05 
GeneralRe: Protecting PHP Mailing Pin
BobJanova17-Jul-12 3:42
memberBobJanova17-Jul-12 3:42 
GeneralRe: Protecting PHP Mailing Pin
Mike-MadBadger19-Jul-12 6:58
memberMike-MadBadger19-Jul-12 6:58 
Generalwhy does this not work? Pin
geoman298z6-Jul-12 7:29
membergeoman298z6-Jul-12 7:29 
AnswerRe: why does this not work? Pin
Luc Pattyn6-Jul-12 10:49
mvpLuc Pattyn6-Jul-12 10:49 
AnswerRe: why does this not work? Pin
nirangad12-Jul-12 0:36
membernirangad12-Jul-12 0:36 
GeneralRe: why does this not work? Pin
sali2212-Jul-12 18:18
groupsali2212-Jul-12 18:18 
GeneralDatabase Question Pin
Baddy_Bad_Boy6-Jul-12 0:59
memberBaddy_Bad_Boy6-Jul-12 0:59 
AnswerRe: QT Question Pin
Richard MacCutchan6-Jul-12 1:19
mvpRichard MacCutchan6-Jul-12 1:19 
Questionpdo php Pin
AndyInUK5-Jul-12 7:11
memberAndyInUK5-Jul-12 7:11 
GeneralRe: pdo php Pin
Agecanonix6-Jul-12 8:46
memberAgecanonix6-Jul-12 8:46 
Questionamazon product advertise Api Pin
Member 915215621-Jun-12 20:39
memberMember 915215621-Jun-12 20:39 
AnswerRe: amazon product advertise Api Pin
CodingLover2-Jul-12 16:06
memberCodingLover2-Jul-12 16:06 
Questionload page on scrolling in phpweb site by using jquery Pin
Member 915215621-Jun-12 18:11
memberMember 915215621-Jun-12 18:11 
AnswerRe: load page on scrolling in phpweb site by using jquery Pin
Peter_in_278021-Jun-12 18:20
memberPeter_in_278021-Jun-12 18:20 
GeneralRe: load page on scrolling in phpweb site by using jquery Pin
Member 915215621-Jun-12 18:39
memberMember 915215621-Jun-12 18:39 
AnswerRe: load page on scrolling in phpweb site by using jquery Pin
Gerben Jongerius22-Jun-12 2:20
memberGerben Jongerius22-Jun-12 2:20 
AnswerRe: load page on scrolling in phpweb site by using jquery Pin
Mohibur Rashid22-Jun-12 14:09
memberMohibur Rashid22-Jun-12 14:09 
Questiondate import from excel to mysql Pin
AndyInUK21-Jun-12 3:26
memberAndyInUK21-Jun-12 3:26 
AnswerRe: date import from excel to mysql Pin
Jochen Arndt21-Jun-12 3:43
memberJochen Arndt21-Jun-12 3:43 
AnswerRe: date import from excel to mysql Pin
Mohibur Rashid22-Jun-12 14:14
memberMohibur Rashid22-Jun-12 14:14 
QuestionSend Email in HTML Format Pin
awedaonline21-Jun-12 3:21
memberawedaonline21-Jun-12 3:21 
AnswerRe: Send Email in HTML Format Pin
Jochen Arndt21-Jun-12 3:34
memberJochen Arndt21-Jun-12 3:34 
GeneralRe: Send Email in HTML Format Pin
awedaonline21-Jun-12 4:14
memberawedaonline21-Jun-12 4:14 
RantHaving trouble Pin
krumia16-Jun-12 3:07
memberkrumia16-Jun-12 3:07 
GeneralRe: Having trouble Pin
OriginalGriff16-Jun-12 3:23
mvpOriginalGriff16-Jun-12 3:23 
GeneralRe: Having trouble Pin
krumia16-Jun-12 3:39
memberkrumia16-Jun-12 3:39 
GeneralRe: Having trouble Pin
OriginalGriff16-Jun-12 4:03
mvpOriginalGriff16-Jun-12 4:03 
GeneralRe: Having trouble Pin
Luc Pattyn16-Jun-12 6:56
mvpLuc Pattyn16-Jun-12 6:56 
QuestionRich Text Field in Lotus Notes Pin
rathiindhu7-Jun-12 18:14
memberrathiindhu7-Jun-12 18:14 
AnswerRe: Rich Text Field in Lotus Notes Pin
Peter_in_27807-Jun-12 18:38
memberPeter_in_27807-Jun-12 18:38 
QuestionWhat about OpenSuse for home use? Pin
Jwalant Natvarlal Soneji1-Jun-12 16:40
memberJwalant Natvarlal Soneji1-Jun-12 16:40 
AnswerRe: What about OpenSuse for home use? Pin
Paul Conrad1-Jun-12 19:02
memberPaul Conrad1-Jun-12 19:02 
GeneralRe: What about OpenSuse for home use? Pin
Jwalant Natvarlal Soneji2-Jun-12 6:10
memberJwalant Natvarlal Soneji2-Jun-12 6:10 
GeneralRe: What about OpenSuse for home use? Pin
Paul Conrad2-Jun-12 6:28
memberPaul Conrad2-Jun-12 6:28 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.


Advertise | Privacy | Mobile
Web02 | 2.8.170624.1 | Last Updated 21 Jun 2017
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid