WyseLabs Internet Marketing Forum :: Start Sharing

[unni]

I like to share some idea regarding how to "Stop E-mail Injections" from our web contact forms.

The standard function we use is :- mail($to,$subject,$body,$headers);

Here...The problem with the code above is that unauthorized users or auto submission can insert data into the mail headers via the input forms. In order to establish robust mail handling routines, it is important to find out the unexpected and invalid inputs in each fields on the forms, especially on Email address, URL and Comments field.

This can be done via PHP 5 and its higher versions. In order for this some programming tips are..

1. Check for a valid user agent
eg: $_SERVER['HTTP_USER_AGENT']

2. Check the request method of the form is POST
eg: $_SERVER['REQUEST_METHOD'] == "POST"
( Note: Generally contact forms use POST method..And those who were using GET method can't use this)

3. Check all important fileds of the forms with the function
isset($_REQUEST['fieldName']

Php 5 supported functions below.

eg: $field=filter_var($field, FILTER_SANITIZE_EMAIL);
$field = filter_var($field, FILTER_VALIDATE_EMAIL);
filter_var($url, FILTER_VALIDATE_URL,FILTER_FLAG_QUERY_REQUIRED)

And if we are so specific with a particular region, we can use IP Validation by using the below function.

filter_var($ip, FILTER_VALIDATE_IP)

And finally, if we generate a hidden random number from the respective contact forms and compare the random value with a session/cookie on the followed up email processing pages for the match , we can the avoid the spamming up to a high degree on web pages.

For more details Please have a look at http://risetothetop.techwyse.com/websit ... -spammers/

Comments are welcome.


Thanks!