PHP Secure E-mails

In the PHP e-mail script in the previous section, there is a vulnerability.

PHP E-mail Injection

First, please look at the PHP code in the previous chapter:

<html>
<head>
<meta charset="utf-8">
<title> php中文網(wǎng)(php.cn)</title>
</head>
<body>
<?php
if (isset($_REQUEST['email'])) { // 如果接收到郵箱參數(shù)則發(fā)送郵件
         // 發(fā)送郵件
         $email = $_REQUEST['email'] ;
         $subject = $_REQUEST['subject'] ;
         $message = $_REQUEST['message'] ;
         mail("someone@example.com", $subject,
         $message, "From:" . $email);
         echo "郵件發(fā)送成功";
} else { // 如果沒有郵箱參數(shù)則顯示表單
         echo "<form method='post' action='mailform.php'>
         Email: <input name='email' type='text'><br>
         Subject: <input name='subject' type='text'><br>
         Message:<br>
         <textarea name='message' rows='15' cols='40'>
         </textarea><br>
         <input type='submit'>
         </form>";
}
?>
</body>
</html>

The above code The problem is that unauthorized users can insert data in the email header through the input form.

What will happen if the user adds the following text to the email in the input box in the form?

someone@example.com%0ACc:person2@example.com

%0ABcc:person3@example.com,person3@example.com,

anotherperson4@example. com,person5@example.com

%0ABTo:person6@example.com

As usual, the mail() function puts the above text into the email header, so now the header has Added additional Cc:, Bcc: and To: fields. When the user clicks the submit button, this e-mail will be sent to all the addresses above!

PHP Prevent E-mail Injection

The best way to prevent e-mail injection is to validate the input.

The following code is similar to the one in the previous chapter, but here we have added an input validator to detect the email field in the form:

<html>
<head>
<meta charset="utf-8">
<title> php中文網(wǎng)(php.cn)</title>
</head>
<body>
<?php
function spamcheck($field)
{
         // filter_var() 過濾 e-mail
         // 使用 FILTER_SANITIZE_EMAIL
         $field=filter_var($field, FILTER_SANITIZE_EMAIL);
 
         //filter_var() 過濾 e-mail
         // 使用 FILTER_VALIDATE_EMAIL
         if(filter_var($field, FILTER_VALIDATE_EMAIL))
         {
                 return TRUE;
         }
         else
         {
                 return FALSE;
         }
}
 
if (isset($_REQUEST['email']))
{
         // 如果接收到郵箱參數(shù)則發(fā)送郵件
 
         // 判斷郵箱是否合法
         $mailcheck = spamcheck($_REQUEST['email']);
         if ($mailcheck==FALSE)
         {
                 echo "非法輸入";
         }
         else
         {       
                 // 發(fā)送郵件
                 $email = $_REQUEST['email'] ;
                  $subject = $_REQUEST['subject'] ;
                 $message = $_REQUEST['message'] ;
                 mail("someone@example.com", "Subject: $subject",
                 $message, "From: $email" );
                 echo "Thank you for using our mail form";
         }
}
else
{
         // 如果沒有郵箱參數(shù)則顯示表單
         echo "<form method='post' action='mailform.php'>
         Email: <input name='email' type='text'><br>
         Subject: <input name='subject' type='text'><br>
         Message:<br>
         <textarea name='message' rows='15' cols='40'>
         </textarea><br>
         <input type='submit'>
         </form>";
}
?>
</body>
</html>

In the above code, we use PHP Filter to verify the input:

· Filter_sanitize_email filter delete the illegal character of the email from the string

· Filter_validate_email filter to verify the value of the email address

# You can read more about filters in our PHP Filter.