发表新帖
发表新帖

Proper prevention of mail injection in PHP

后端 未结
关注
4 1774
小鲜肉
小鲜肉 2020-11-28 15:17

Could you advise me how do I go about preventing email injection in PHP mail() without losing original message data? E.g. if I need to allow user to use \

4条回答
  • 离开以前
    离开以前 (楼主)
    2020-11-28 15:45

    Suppose you you want to put the email address of the visitor in the optional header field like so:

    $headers = "From: $visitorEmailAddress";

    However, if

    $visitorEmailAddress

    contains

    "address@email.com\n\nBCC:spam@v1agra.com"

    you've made yourself a spam host, opening the door for mail injection. This is a very simple example, but creative spammers and malicious hackers can sneak potentially damaging scripts in your email, since email is sent as a plaintext file. Even attachments are converted plaintext, and they can easily send attachements by adding a mimetype content line.

    If your form validation for the FROM and/or TO fields is OK, you have to look at the form validation for the body of the email. I'd strip out the '-=' and '=-' characters, and prevent users from typing plain HTML by using strip_tags().

    0 讨论(0)
 看不清?
提交回复
热议问题