Tuesday (09/13/05)
I Got Framed — if you’re using the PHP mail() function, add some security to that thing 4:29 pm
I didn’t do it.
Really, I didn’t–I was framed. And you could be too if you’re using the PHP mail() function to handle your contact form without taking any extra security measures.
Last night I found out (the hard way), that my simple contact form was quite an ingenious spam tool. Somebody got on Elliot Swan Designs, opened up my contact form, was able to add in some custom headers, then send out bulk email–as me. Quite ingenious, and quite annoying.
It was pretty late, so I had to just shut down my contact forms for the night, but when I got up I found a user comment on the documentation for mail() that recommended using something like the following code to protect against mail injections:
if(eregi("MIME-Version:",$_POST['field1'].$_POST['feild2'].$_POST['etc'])) {die('Get out, spammer.');}
For good measure I added a second line to it:
if(eregi("Content-Type:",$_POST['field1'].$_POST['feild2'].$_POST['etc'])) {die('Get out, spammer.');}
Hopefully that’ll keep them spammers outa there.
I eat food. I listen to music. I sleep. Sometimes. I drink lots of coffee. I make pretty pictures. I talk to people. I believe in things. I write stuff. I take photographs. I have a laughing addiction. I am human. 
I had the exact some thing happen to me on my portfolio website. It was quite unnerving. I ended up finding out the same solution as you, just haven’t had the time to implement it yet. So for hte time being I’ve had to close down my contact form as well.
Yeah, this happened on my portfolio as well, but I fixed the ones on all my sites for good measure.
This morning I also had the surpise of checking my email and finding 13 completely blank emails that were sent through the same contact form. Checked out the headers, and nothing was added.
So I guess I checking for blank emails would be a good idea as well…I had never really thought somebody would actually want to submit a blank emai.
Thanks for the tips! I’ll check my sites.
Hi Elliot, this post is kind of old but I thought you or someone else reading this might be interested in the following tip. A very easy to use php function to filter POST variables for newlines or carriage returns (which are the problem with email injection) is the function ctype_print(). You can use it like this:
if (!ctype_print($clean['name']) || !ctype_print($clean['email']) )
{
$errors = 'Some of the input contains bad characters';
}
You can use the above to make sure variables that end up in the headers in the mail() function cannot contain any newlines or carriage returns. And therefore a spambot cannot add any bcc, cc etc. Best thing is to use this as a defense in depth measure, besides the validation one already does.
That’s a pretty sweet trick…thanks for sharing.
Hi Elliot
thank’s for puting this on your page. I,m a bit new whit php but I have put a php email-form on
my website for security And not a basic form. But now i’m learning that it was not so simple.
I did not have reseived spam but maybe the hosting company did! but now I see that there is a lot more posible whit php. I,m learning!
I,ve found some security code on chr webM about this but I dont now yet how to put it in my e-mail form
so maybe you can help me whit this?
fordcredit.com
Thank you man because a lot of us including me using the mail() function as it is with out adding security for double checking and it might be miss used as mine was unsecured on my web site IEmailer.com am offering a contact form and tell a friend form so i will add this security check today and re upload the secured files again and it’s all goes to you, So THANK YOU
Wow, this is really critical issues… Thank you for sharing am just glad i haven’t applied the contact form code on my website as am trying to become an SEO Expert so i should take care about those issues !!!
Thank again it’s really helpful information you got inhere.
notself uncheering fronted bushi heartedness strobile autometry tyrannic
Iraqi paper condemns Saudi arms purchase from U.S.
http://english.people.com.cn