Protecting 'contact us' emailing forms

**gosha bine** · May 23 '07, 03:15 PM

Re: Protecting 'contact us' emailing forms

On 23.05.2007 15:58 Cheb wrote:

I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks.

google for "email injection", there are tons of infos.

Basically, don't use user input in email headers, or if you must, strip
all \r's and \n's.

I have
used mysql_escape_st ring() to remove any newlines in the headers but

mysql_escape_st ring has nothing to do with emails. Use string functions:
str_replace, preg_replace or similar.

Should I include MIME
content headers too? And should I be worried about HTML inclusion in
the body?

No, unless you're sending real multipart (e.g. text + html) mails.
If this is the case I'd suggest a professional mime package like
phpmailer, swift etc.

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

**Edward Z. Yang** · May 23 '07, 10:15 PM

Re: Protecting 'contact us' emailing forms

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cheb wrote:

I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks. I have
used mysql_escape_st ring() to remove any newlines in the headers but
do I need to protect the message body too? Should I include MIME
content headers too? And should I be worried about HTML inclusion in
the body?

Do not use mysql_escape_st ring(). Ever. Use mysql_real_esca pe_string()
for SQL and other, more pertinent, string functions for email.

If you don't have any clue what you're doing, I strongly recommend you
use an external library like SwiftMailer <http://swiftmailer.org/>

- --
Edward Z. Yang GnuPG: 0x869C48DA
HTML Purifier <htmlpurifier.o rg Anti-XSS HTML Filter
[[ 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA ]]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGVLsIqTO +fYacSNoRAk0bAJ 9Sioaq3vQvH38Q+ pZN8DVCLvK2PQCg gaeQ
gwSH6WYTRAZNzmf rXjXLNSM=
=jcLp
-----END PGP SIGNATURE-----

**Cheb** · May 24 '07, 12:25 PM

Re: Protecting 'contact us' emailing forms

On Wed, 23 May 2007 17:11:16 +0200, gosha bine <stereofrog@gma il.com>
wrote:

>On 23.05.2007 15:58 Cheb wrote:

>I am writing a simple 'contact us' email form and I am aware I should
>protect it from code injection and malicious email hijacks.

>
>google for "email injection", there are tons of infos.
>
>Basically, don't use user input in email headers, or if you must, strip
>all \r's and \n's.
>

I have
>used mysql_escape_st ring() to remove any newlines in the headers but

>
>mysql_escape_s tring has nothing to do with emails. Use string functions:
>str_replace, preg_replace or similar.
>

>Should I include MIME
>content headers too? And should I be worried about HTML inclusion in
>the body?

>
>No, unless you're sending real multipart (e.g. text + html) mails.
>If this is the case I'd suggest a professional mime package like
>phpmailer, swift etc.

Thanks for the suggestions - much appreciated.

I have developed a few database-oriented PHP sites (hence the bad
habit of using mysql_escape_st ring() to render user input from forms
'safe'), but I am self taught so I know I have plenty to learn. I
think for now I will go with yours and Edward's suggestion of Swift
and read-up on the techniques/pitfalls later when I come to write my
own module.

Thanks again
Chris R.

**Cheb** · May 24 '07, 12:35 PM

Re: Protecting 'contact us' emailing forms

On Wed, 23 May 2007 18:07:04 -0400, "Edward Z. Yang"
<edwardzyang@th ewritingpot.com wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Cheb wrote:

>I am writing a simple 'contact us' email form and I am aware I should
>protect it from code injection and malicious email hijacks. I have
>used mysql_escape_st ring() to remove any newlines in the headers but
>do I need to protect the message body too? Should I include MIME
>content headers too? And should I be worried about HTML inclusion in
>the body?

>
>Do not use mysql_escape_st ring(). Ever. Use mysql_real_esca pe_string()
>for SQL and other, more pertinent, string functions for email.

Yes, I understand it is a bad habit I have developed from doing
MySQL-based sites. Can you explain in real terms why
mysql_real_esca pe_string() is better than mysql_escape_st ring()? I've
read the php.net description but would it necessarily cause problems
if the character set isn't taken into account?

>If you don't have any clue what you're doing, I strongly recommend you
>use an external library like SwiftMailer <http://swiftmailer.org/>

I think that's a bit harsh - if I didn't have "any clue what I am
doing" then I wouldn't understand that there are serious issues with
email contact forms. I have read quite a few tutorials but got a bit
confused because so many articles have slightly different slants on
the issue so I thought it best to ask some experts here.

But thanks for the Swift link - I have downloaded it and will give it
a try. :o)

Thanks again
Chris R.

**gosha bine** · May 25 '07, 08:35 AM

Re: Protecting 'contact us' emailing forms

On 24.05.2007 14:15 Cheb wrote:

<...I
think for now I will go with yours and Edward's suggestion of Swift
and read-up on the techniques/pitfalls later when I come to write my
own module.

good choice, swift is an excellent piece of work and very easy to use.

swift support forum, moderated by its author is here

503 Service Temporarily Unavailable

http://forums.devnetwork.net/viewforum.php?f=52

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok