Proper prevention of mail injection in PHP

by

To filter valid emails for use in the recipient email field, take a look at filter_var():

$email = filter_var($_POST['recipient_email'], FILTER_VALIDATE_EMAIL);

if ($email === FALSE) {
    echo 'Invalid email';
    exit(1);
}

This will make sure your users only supply singular, valid emails, which you can then pass to the mail() function. As far as I know, there’s no way to inject headers through the message body using the PHP mail() function, so that data shouldn’t need any special processing.

Update:

According to the documentation for mail(), when it’s talking directly to an SMTP server, you will need to prevent full stops in the message body:

$body = str_replace("\n.", "\n..", $body);

Update #2:

Apparently, it’s also possible to inject via the subject, as well, but since there is no FILTER_VALIDATE_EMAIL_SUBJECT, you’ll need to do the filtering yourself:

$subject = str_ireplace(array("\r", "\n", '%0A', '%0D'), '', $_POST['subject']);

More Related Contents:

  1. Php mail: how to send html?
  2. Debugging PHP Mail() and/or PHPMailer
  3. PHP mail() works from command line but not apache
  4. php form send email
  5. Send email using the GMail SMTP server from a PHP page
  6. How to to send mail using gmail in Laravel?
  7. How do I prevent mails sent through PHP mail() from going to spam? [duplicate]
  8. PHPMailer – SMTP ERROR: Password command failed when send mail from my server
  9. Error with PHP mail(): Multiple or malformed newlines found in additional_header
  10. How to check if an email address is real or valid using PHP
  11. PHPMailer – SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  12. SMTP Connect() failed. Message was not sent.Mailer error: SMTP Connect() failed
  13. PhpMailer vs. SwiftMailer? [closed]
  14. How to setup mail in XAMPP locally?
  15. smtp configuration for php mail
  16. PHP Email sending BCC
  17. require(vendor/autoload.php): failed to open stream
  18. Send email with PHPMailer – embed image in body
  19. How to send emails via cron job usng PHP mysql
  20. PHP Attaching an image to an email
  21. How to send email with attachment using PHP?
  22. What is the format for e-mail headers that display a name rather than the e-mail?
  23. In PHP, how do I extract multiple e-mail addresses from a block of text and put them into an array?
  24. Bounce Email handling with PHP?
  25. How can I catch an error caused by mail()?
  26. Everytime my mail goes to spam in phpmailer
  27. Check if email exist php
  28. Delivery reports and read receipts in PHP mail
  29. Expected response code 250 but got code “”, with message “”
  30. Sending emails with WAMP

Leave a Comment