Coding With Fun
Home Docker Django Node.js Articles Python pip guide FAQ Policy

PHP secure e-mail

May 11, 2021 PHP

Table of contents

1. PHP Secure E-mails

2. PHP E-mail injection

3. PHP prevents E-mail injection

PHP Secure E-mails

We've covered how PHP sends e-mail in the last section, but in the PHP e-mail script in the last section, there's a vulnerability, and let's address it together!

PHP E-mail injection

First, look at the PHP code in the last chapter: 

<html>
 <body>

 <?php
 if (isset($_REQUEST['email']))
 //if "email" is filled out, send email
 {
 //send email
 $email = $_REQUEST['email'] ;
 $subject = $_REQUEST['subject'] ;
 $message = $_REQUEST['message'] ;
 mail("[email protected]", "Subject: $subject",
 $message, "From: $email" );
 echo "Thank you for using our mail form";
 }
 else
 //if "email" is not filled out, display the form
 {
 echo "<form method='post' action='mailform.php'>
 Email: <input name='email' type='text'><br>
 Subject: <input name='subject' type='text'><br>
 Message:<br>
 <textarea name='message' rows='15' cols='40'>
 </textarea><br>
 <input type='submit'>
 </form>";
 }
 ?>

 </body>
 </html>

The problem with the above code is that unauthorized users can insert data into the header of the message through the input form.

What happens if a user adds the following text to an e-mail message to the input box in the form?

As usual, the mail() function puts the above text into the header of the message, and now the header has additional Cc:, Bcc: and To: fields. When the user clicks the submit button, this e-mail is sent to all the addresses above!

PHP prevents E-mail injection

The best way to prevent e-mail injection is to validate the input.

The following code is similar to the one in the last chapter, but here we've added an input validater for detecting email fields in forms: 

<html>
 <body>
 <?php
 function spamcheck($field)
 {
 //filter_var() sanitizes the e-mail
 //address using FILTER_SANITIZE_EMAIL
 $field=filter_var($field, FILTER_SANITIZE_EMAIL);

 //filter_var() validates the e-mail
 //address using FILTER_VALIDATE_EMAIL
 if(filter_var($field, FILTER_VALIDATE_EMAIL))
 {
 return TRUE;
 }
 else
 {
 return FALSE;
 }
 }

 if (isset($_REQUEST['email']))
 {//if "email" is filled out, proceed

 //check if the email address is invalid
 $mailcheck = spamcheck($_REQUEST['email']);
 if ($mailcheck==FALSE)
 {
 echo "Invalid input";
 }
 else
 {//send email
 $email = $_REQUEST['email'] ;
 $subject = $_REQUEST['subject'] ;
 $message = $_REQUEST['message'] ;
 mail("[email protected]", "Subject: $subject",
 $message, "From: $email" );
 echo "Thank you for using our mail form";
 }
 }
 else
 {//if "email" is not filled out, display the form
 echo "<form method='post' action='mailform.php'>
 Email: <input name='email' type='text'><br>
 Subject: <input name='subject' type='text'><br>
 Message:<br>
 <textarea name='message' rows='15' cols='40'>
 </textarea><br>
 <input type='submit'>
 </form>";
 }
 ?>

 </body>
 </html>

In the code above, we used the PHP filter to validate the input:

  • FILTER_SANITIZE_EMAIL filter removes illegal characters from the string of e-mail messages
  • FILTER_VALIDATE_EMAIL the value of the e-mail address with the filter

You can read more about filters in our PHP Filter.

Combining this section with the contents of the last section, you can safely send e-mail messages in PHP!



Related

PHP $_GET variable

PHP E-Mail

How to replace strings in multidimensional array in php?

PHP virtual host configuration tutorial

PHP file upload

PHP date() function

Introduction to PHP

PHP 5 Math function

PHP XML function

How many php modules are included in php extensions?