PHP Development Basics Tutorial - Secure E-mail

1. PHP E-mail injection

There is a security vulnerability in the PHP e-mail script

Look at the previous one PHP code in chapter:

    
   Email: 
 Subject: 
 Message:
  
  "; } ?>  

The problem with the above code is that unauthorized users can insert data in the email header through the input form.

What will happen if the user adds the following text to the email in the input box in the form?

someone@example.com%0ACc:person2@example.com

%0ABcc:person3@example.com,person3@example.com,

anotherperson4@example. com,person5@example.com

%0ABTo:person6@example.com

As usual, the mail() function puts the above text into the email header, so now the header has Added additional Cc:, Bcc: and To: fields. When the user clicks the submit button, this e-mail will be sent to all the addresses above!

---

2. PHP E-mail Injection

The best way to prevent e-mail injection is to validate the input. (Similar to form validation)

The following code is similar to that in the previous chapter, but here we have added an input validation program to detect the email field in the form:

    
   Email: 
 Subject: 
 Message:
  
  "; } ?>  

Summary: In the above code, we used a PHP filter to validate the input:

• FILTER_SANITIZE_EMAIL filter removes the email from the string Illegal characters

• FILTER_VALIDATE_EMAIL Filter validates the value of the email address

You can Read more about filters in our PHP Filter.