PHP mail header insertion countermeasures

[mufka]

I've created a form that calls a separate script to add the form fields to a database and then email the fields to a hardcoded address. The separate script will only accept input from my specific form. The input fields are name, email address, subject and message. My understanding is that I only need to validate the email address field in order to prevent header injection. Is that true? I am adding the name and email into the header in the script. Should I validate the name field too?

 

[DonQuichote]

You should validate any header value. Otherwise, hackers can easily add any headers and bodies they want.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[mufka]

OK. I've validated the name field. Do I have to worry about the subject field? That doesn't get added to the header, does it? I'd rather not validate it because I don't want to restrict the characters if I don't have to.

 

[DonQuichote]

Do I have to worry about the subject field? That doesn't get added to the header, does it?

Sure it does. If you want to know what is in headers, just fire up your mail reader, select a message and click "view message source" (or "view headers") if you view the full source, everything above the first blank line are headers. A lot of them are added by client and server programs, but you get the idea. "Subject" is definitely one of them.

As I already said, anything above the first blank line is a header. So If a hacker wants to insert headers and another body in the message, all he has to do is to provide extra headers (separated by an end-of-line character), a blank line, and the new body. So beware.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[EvilAsh]

Thanks Don.

I have put in a function to combat that now.