Web Analytics Made Easy -
StatCounter How can I check my PHP mail(...) to prevent any malicious scripts? - CodingForum


No announcement yet.

How can I check my PHP mail(...) to prevent any malicious scripts?

  • Filter
  • Time
  • Show
Clear All
new posts

  • How can I check my PHP mail(...) to prevent any malicious scripts?

    I have just created a form and with input and also textarea and would like to know how to ensure the form input is secure.

    I have added the following script to the textarea and the email is sent to gmail without any adverse effects;

    <script> alert("Just testing to see if this textarea script has any adverse effects") ; </script>
    123, Front Street

  • #2
    All such "checks" should be done server side. (duh). Why you have a JavaScript doing an alert is beyond me.

    The checks are:

    1) strip /r/n and semi-colons from anything sent client-side that you would add to your header strings.

    preg_replace( "/[\r\n;]/g", '', $stringc );
    I prefer to reject mails where the above regex finds a match outright, spitting the form back at the user.

    2) validate the e-mail address for MORE than just what filter_vars provides. It can also help to check that the domain exists, though that incurs a small bit of overhead.

    function isValidEmail($address) {
      if (filter_var($address, FILTER_VALIDATE_EMAIL) === FALSE) {
        return false;
      /* explode out local and domain */
      [ $local, $domain ] = explode('@', $address);
      $localLength = strlen($local);
      $domainLength = strlen($domain);
      return (
        /* check for proper lengths */
        ($localLength > 0 && $localLength < 65) &&
        ($domainLength > 3 && $domainLength < 256) &&
          checkdnsrr($domain, 'A') ||
          checkdnsrr($domain, 'MX')
    } // isValidEmail
    Note that if it passes "isValidEmail" you don't need to strip [/r/n/;] since those are already invalid e-mail characters.

    3) ONLY send as text/plain. Do not trust HTML driven e-mails generated by your server-side code!
    $header .= "Content-Type:text/plain\r\n";
    That's really all there is to it. E-mails treat everyline before the first double line-break -- "\r\n\r\n" -- as a header line of "name:value;value;value". Thus stripping the semi-colons between your values to prevent multi-value sending (such as multiple recipients), \r\n to prevent the creation of new header values. E-mail addresses aren't just about valid characters but also valid lengths and domains, and if you only send text/plain any potential markup isn't rendered as markup, preventing things like script injection.

    Regardless of what you do client-side, you should STILL perform these checks on the server. This is why beyond the checks that HTML now natively provides, I do not even bother using JavaScript client-side anymore. It was NEVER a good idea in the first place, and since one SHOULD when possible provide scripting off fallbacks?
    Walk the dark path, sleep with angels, call the past for help.