pazza04 Posted October 24, 2011 Share Posted October 24, 2011 Hello, I have been a victim of header injection from my Contact Form, so I would like to know if this code is ok and safe. I am not a programmer this is why I am asking for help, this is the code: (Iam validating with javascript (Jquery) as well) <?php if(isset($_POST['boton'])){ if($_POST['nombre'] == ''){ $errors[1] = '<span class="error">Ingrese su nombre</span>'; }else if($_POST['email'] == '' or !preg_match("/^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$/",$_POST['email'])){ $errors[2] = '<span class="error">Ingrese un email correcto</span>'; }else if($_POST['asunto'] == ''){ $errors[3] = '<span class="error">Ingrese un asunto</span>'; }else if($_POST['mensaje'] == ''){ $errors[4] = '<span class="error">Ingrese un mensaje</span>'; }else{ $dest = "my@domain.com"; //Email de destino $nombre = $_POST['nombre']; $email = $_POST['email']; $asunto = $_POST['asunto']; //Asunto $cuerpo = $_POST['mensaje']; //Cuerpo del mensaje //Cabeceras del correo $headers = "From: $nombre $email\r\n"; //Quien envia? $headers .= "X-Mailer: PHP5\n"; $headers .= 'MIME-Version: 1.0' . "\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; // if(mail($dest,$asunto,$cuerpo,$headers)){ $result = '<div class="result_ok">Gracias !! Email enviado correctamente</div>'; // si el envio fue exitoso reseteamos lo que el usuario escribio: $_POST['nombre'] = ''; $_POST['email'] = ''; $_POST['asunto'] = ''; $_POST['mensaje'] = ''; }else{ $result = '<div class="result_fail">Hubo un error al enviar el mensaje</div>'; } } } ?> <form class='contacto' method='POST' action=''> <div><label>Tu Nombre:</label><input type='text' class='nombre' name='nombre' value='<?php echo $_POST['nombre']; ?>'><?php echo $errors[1] ?></div> <div><label>Tu Email:</label><input type='text' class='email' name='email' value='<?php echo $_POST['email']; ?>'><?php echo $errors[2] ?></div> <div><label>Asunto:</label><input type='text' class='asunto' name='asunto' value='<?php echo $_POST['asunto']; ?>'><?php echo $errors[3] ?></div> <div><label>Mensaje:</label><textarea rows='6' class='mensaje' name='mensaje'><?php echo $_POST['mensaje']; ?></textarea><?php echo $errors[4] ?></div> <div><input type='submit' value='Envia Mensaje' class='boton' name='boton'></div> <?php echo $result; ?> </form> Really hope somebody can give me a hand on this .... thanks a lot !!!! Link to comment Share on other sites More sharing options...
justsomeguy Posted October 24, 2011 Share Posted October 24, 2011 It's not secure because you're using the name in a header and you're not validating it. If you're going to put the name in the from header then you need to validate it to make sure it does not contain email addresses. Link to comment Share on other sites More sharing options...
pazza04 Posted October 24, 2011 Author Share Posted October 24, 2011 Thanks for your fast reply .... Can you give me a hand on this ? I mean how should I validate it ? unfortunately I´m not a programmer (I would love to be ....) Really appreciate your help, I ve been searching and searching in the web for many days I can´t find the solution ..... thanks :-) Link to comment Share on other sites More sharing options...
birbal Posted October 24, 2011 Share Posted October 24, 2011 you can check the name something like thatif(preg_match($name,'/^[\d\w]/'))echo 'name is invalid'; it will check the name field contains only alphanum (without space) other wise you can do some error handling.http://php.net/function.preg_match Link to comment Share on other sites More sharing options...
justsomeguy Posted October 24, 2011 Share Posted October 24, 2011 It would probably be enough if all you did was check for "@" in the name. Link to comment Share on other sites More sharing options...
pazza04 Posted October 25, 2011 Author Share Posted October 25, 2011 Will this will be secure ? I do my best to understand php but Iam very very beginer, I had email injections twice, I used to work with phpMailer but suddenly is not working any more, so I am trying to replace it with a secure simple form.Please can somebody have a look at this below, and also where should I put it in the sript above .... thanks people I know that this issue is a piece of cake for you, but for me its a huge issue .... if(preg_match($name,'/^[a-z0-9()\/\'":\*+|,.; \- !?$@]{2,75}$/i'))echo 'name is invalid'; if(preg_match($email,'/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'))echo 'email is invalid'; thanks ;-) Link to comment Share on other sites More sharing options...
boen_robot Posted October 25, 2011 Share Posted October 25, 2011 Aaaaahhhhhhh!!!! Raw email headers!!! Custom email regex for verification!!! Get it off! Get it off!!! I am not a programmerProgrammer or not, you'll find something like Zend_Mail much easier to read AND it takes care of the security issues for you. get it. Link to comment Share on other sites More sharing options...
pazza04 Posted October 26, 2011 Author Share Posted October 26, 2011 I have added this function to the code, the new lines are in red color, is it safe now for header injection ? tks ! <?phpif(isset($_POST['boton'])){if($_POST['nombre'] == ''){$errors[1] = '<span class="error">Ingrese su nombre</span>';}else if($_POST['email'] == '' or !preg_match("/^[a-zA-Z0-9_\.\-]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$/",$_POST['email'])){$errors[2] = '<span class="error">Ingrese un email correcto</span>';}else if($_POST['asunto'] == ''){$errors[3] = '<span class="error">Ingrese un asunto</span>';}else if($_POST['mensaje'] == ''){$errors[4] = '<span class="error">Ingrese un mensaje</span>';}else{$dest = "my@domain.com"; //Email de destino$nombre = $_POST['nombre'];$email = $_POST['email'];$asunto = $_POST['asunto']; //Asunto$cuerpo = $_POST['mensaje']; //Cuerpo del mensaje//Cabeceras del correo// Mail header removalfunction remove_headers($string) { $headers = array( "/to\:/i", "/from\:/i", "/bcc\:/i", "/cc\:/i", "/Content\-Transfer\-Encoding\:/i", "/Content\-Type\:/i", "/Mime\-Version\:/i" ); return preg_replace($headers, '', $string); }$headers = "From: $nombre $email\r\n"; //Quien envia?$headers .= "X-Mailer: PHP5\n";$headers .= 'MIME-Version: 1.0' . "\n";$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; //if(mail($dest,$asunto,$cuerpo,$headers)){$result = '<div class="result_ok">Gracias !! Email enviado correctamente</div>';// si el envio fue exitoso reseteamos lo que el usuario escribio:$_POST['nombre'] = '';$_POST['email'] = '';$_POST['asunto'] = '';$_POST['mensaje'] = '';}else{$result = '<div class="result_fail">Hubo un error al enviar el mensaje</div>';}}}?><form class='contacto' method='POST' action=''><div><label>Tu Nombre:</label><input type='text' class='nombre' name='nombre' value='<?php echo $_POST['nombre']; ?>'><?php echo $errors[1] ?></div><div><label>Tu Email:</label><input type='text' class='email' name='email' value='<?php echo $_POST['email']; ?>'><?php echo $errors[2] ?></div><div><label>Asunto:</label><input type='text' class='asunto' name='asunto' value='<?php echo $_POST['asunto']; ?>'><?php echo $errors[3] ?></div><div><label>Mensaje:</label><textarea rows='6' class='mensaje' name='mensaje'><?php echo $_POST['mensaje']; ?></textarea><?php echo $errors[4] ?></div><div><input type='submit' value='Envia Mensaje' class='boton' name='boton'></div><?php echo $result; ?></form> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.