阻止邮件形式中的电子邮件注入的最佳方法是什么? [英] What is the best way to prevent email Injection in a mailform?
问题描述
您好,我已经建立了一个电子邮件表单,我想知道它是否以安全的方式构建。
我已经阅读了文章如何防止将PHP表单中的电子邮件注入邮件脚本并将其应用于我的脚本。现在我想知道变量$ to和$ bcc是否保存。
Hello I have build a email form and I like to know if it is build in a secure way.
I have read the article How to Prevent Email Injection in Your PHP Form to Mail Scripts and applied it to my script. Now I like to know if the variable $to and $bcc are save.
function sendmail($to,$subject,$message,$bcc=NULL){
//Prevent Email Injection in Your PHP Form to Mail Scripts
if ( preg_match( "/[\r\n]/", $to ) || preg_match( "/[,]/", $to ) || preg_match( "/[\r\n]/", $bcc ) || preg_match( "/[,]/", $bcc ) ) {
return '<h1>Danger found: possible email Injection Hijacking</h1>';
return false;
}else{
// To send HTML mail, the Content-type header must be set
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
// Additional headers
$headers .= 'From: No Reply <no-reply@domain.nl>' . "\r\n";
if(isset($bcc)) $headers .= 'Bcc: ' .$bcc."\r\n";
// Mail it
return mail($to, $subject, $message, $headers);
}
}
sendmail($_REQUEST['email'],'Subjectline', 'message','admin@domain.com');
推荐答案
邮件中的漏洞来自标头注入。为了防止这种情况,您可以在标头值中查找换行符,即:
The vulnerability in mail comes from header injection. To prevent it, you can look for newlines in the header values, ie.:
"BCC: " . $email . "
X-OtherHeader: Foo-Bar
如果 $ email 包含换行符,例如:
If $email contains a newline, like:
webmaster@domain.com
TO: pro@hackerz.ru
您将获得一个额外的TO标头,该标头可能是恶意的。从您的邮件服务器发送电子邮件给任何人,本质上将您的邮件服务器转变为垃圾邮件服务器。
You will get an extra TO header, which is potentially malicious. Header injection allows an attacker to send an email from your mailserver to anyone, essentially turning your mailserver into a spam server.
从外观上看,当前的脚本是安全的。
From the looks of it your current script is safe.
这篇关于阻止邮件形式中的电子邮件注入的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
