Sending PHP mail() A MUST READ [Archive]

View Full Version : Sending PHP mail() A MUST READ

Flash Gordon

11-06-2005, 06:33 PM

Two reasons you must read this:

1) secure your site
2) learn how to cc and bcc

http://securephp.damonkohler.com/index.php/Email_Injection

Enjoy!

EDIT:
Perhaps I spoke too soon. I can't get this interjection to work from the article in my flash contact form.

As specified in the [RFC 822], one must add a line feed for every header. The <LF> (line feed) char has a hexadecimal value of 0x0A.

Thus by providing the following values to the example script of this article :

- Sender :

"sender@anonymous.www%0ACc:recipient@someothersite. xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooop s.xxx"

- Subject :
Perhaps, it only works in html????

senocular

11-06-2005, 06:41 PM

Good to know! :D

Flash Gordon

11-12-2005, 07:58 AM

I have been trying all different kinds of variations, but I can NOT get the interjection to work on my site. I copied and pasted the supplied code (fixing an error), but when I input in the sender field:

"sender@anonymous.www%0ACc:recipient@someothersite. xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooop s.xxx"
and several variations of that, I always get a respone of "Doh! Your mail could not be sent."

Does anyone know what is going on?
Perhaps it has something to do with PHP in safe mode.
Perhaps it just doesn't work like the author states.

I'd like to figure this out, to help secure myself a little better and just for coursity sake. :)

Thanks for looking.
FG

Morg

06-06-2006, 11:33 AM

yo yo yo!

I know this an old post, but my site keeps getting blocked for someone using it to send spam grrr!!!!

How the hell do I secure my PHP script from header injection?? thats obviously whats happening. Bloody annoying!

Anybody got any ideas? Maybe a link to the definitive header injection protection thread/link?

Thanks!

Flash Gordon

06-06-2006, 06:48 PM

Try putting this at the beginning of the script. It may or may not work. Please let me know your success/failure with it.

$badStrings = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:", "<a href");
foreach($_POST as $key => $value1) {
foreach($badStrings as $value2) {
if ( stristr($value1, $value2) ) {
exit;
}
}
}

Morg

06-07-2006, 08:43 AM

hmmm.. yes! That makes sense to do it like that! I like your thinking! :D

Will let you know, thanks.

Flash Gordon

06-07-2006, 05:02 PM

Thanks and besure to let us know if it stops hackers. You may have to add some other values too.