I've created a form that calls a separate script to add the form fields to a database and then email the fields to a hardcoded address. The separate script will only accept input from my specific form. The input fields are name, email address, subject and message. My understanding is that I only need to validate the email address field in order to prevent header injection. Is that true? I am adding the name and email into the header in the script. Should I validate the name field too?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PHP mail header insertion countermeasures
- Thread starter mufka
- Start date
DonQuichote
Programmer
- Nov 9, 2001
- 980
You should validate any header value. Otherwise, hackers can easily add any headers and bodies they want.
+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)
+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)
- Thread starter
- #3
DonQuichote
Programmer
- Nov 9, 2001
- 980
Sure it does. If you want to know what is in headers, just fire up your mail reader, select a message and click "view message source" (or "view headers") if you view the full source, everything above the first blank line are headers. A lot of them are added by client and server programs, but you get the idea. "Subject" is definitely one of them.
As I already said, anything above the first blank line is a header. So If a hacker wants to insert headers and another body in the message, all he has to do is to provide extra headers (separated by an end-of-line character), a blank line, and the new body. So beware.
+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)
- Status