PHP Email Injection Prevention

Below is the code I'm using for a simple contact form. It seems our code is being manipulated and someone is using the contact form for email injection. I'm relatively new to PHP and I've tried researching online but currently I'm having no joy.

Does anyone have some advice?

<?php

// get posted data into local variables
$EmailFrom = Trim(stripslashes($_POST['EmailFrom'])); 
$EmailTo = "email@email.com";
$Subject = "subject";
//$Title = Trim(stripslashes($_POST['Title'])); 
$First = Trim(stripslashes($_POST['First'])); 
//$Surname = Trim(stripslashes($_POST['Surname']));
//$Company = Trim(stripslashes($_POST['Company']));
//$Address = Trim(stripslashes($_POST['Address']));
//$Address2 = Trim(stripslashes($_POST['Address2']));
//$Address3 = Trim(stripslashes($_POST['Address3']));
//$Area = Trim(stripslashes($_POST['Area']));
//$County = Trim(stripslashes($_POST['County']));
//$Postcode = Trim(stripslashes($_POST['Postcode']));
$Telephone = Trim(stripslashes($_POST['Telephone']));
//$Fax = Trim(stripslashes($_POST['Fax']));
$EmailFrom = Trim(stripslashes($_POST['EmailFrom'])); 
$AmountOwed = Trim(stripslashes($_POST['AmountOwed']));
$ip = Trim(stripslashes($_POST['ip']));
//$Marketing = Trim(stripslashes($_POST['Marketing'])); 
//$Contact = Trim(stripslashes($_POST['Contact'])); 
$Details = Trim(stripslashes($_POST['Details'])); 

// validation
$validationOK=true;
if (Trim($EmailFrom)=="Your email: (required)") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
  exit;
};
if (Trim($Telephone)=="Your Telephone: (required)") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
  exit;
};
if (Trim($First)=="Your name: (required)") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
  exit;
}

// prepare email body text
$Body = "";
//$Body .= "Title: ";
//$Body .= $Title;
//$Body .= "
";
$Body .= "First: ";
$Body .= $First;
$Body .= "
";
//$Body .= "Surname: ";
//$Body .= $Surname;
//$Body .= "
";
//$Body .= "Company: ";
//$Body .= $Company;
//$Body .= "
";
//$Body .= "Address: ";
//$Body .= $Address;
//$Body .= "
";
//$Body .= "Address2: ";
//$Body .= $Address2;
//$Body .= "
";
//$Body .= "Address3: ";
//$Body .= $Address3;
//$Body .= "
";
//$Body .= "Area: ";
//$Body .= $Area;
//$Body .= "
";
//$Body .= "County: ";
//$Body .= $County;
//$Body .= "
";
//$Body .= "Postcode: ";
//$Body .= $Postcode;
//$Body .= "
";
$Body .= "Telephone: ";
$Body .= $Telephone;
$Body .= "
";
//$Body .= "Fax: ";
//$Body .= $Fax;
//$Body .= "
";
$Body .= "EmailFrom: ";
$Body .= $EmailFrom;
$Body .= "
";
$Body .= "AmountOwed: ";
$Body .= $AmountOwed;
$Body .= "
";
$Body .= "ip: ";
$Body .= $ip;
$Body .= "
";
//$Body .= "Marketing: ";
//$Body .= $Marketing;
//$Body .= "
";
//$Body .= "Contact: ";
//$Body .= $Contact;
//$Body .= "
";
$Body .= "Details: ";
$Body .= $Details;
$Body .= "
";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// redirect to success page 
if ($success){
  print "<meta http-equiv=\"refresh\" content=\"0;URL=thankyou.php\">";
}
else{
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
}
?>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

3条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dtq26360 2015-11-04 13:42
关注
I would start by looking over http://securephpwiki.com/index.php/Email_Injection#Using_php_mail.28.29_function to get an idea of what's actually happening.

On the input, validate that the inputs, for example check the input email is actually an email address:

if (!filter_var($EmailFrom, FILTER_VALIDATE_EMAIL)) { // This isn't actually an email address }
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

带有Recaptcha v2的PHP表单 - 表单刷新而不提交 php
2018-07-05 13:55

回答 1 已采纳 Remove the enctype="text/plain" attribute from your form and the form should submit. You can let i
防止php注入[重复] php
2013-10-25 23:50

回答 1 已采纳 This is not a problem, since the user data is the value of a string. It's no different from saying
使用PHP中的$ _request变量进行数据库更新 mysql php
2016-03-31 23:03

回答 1 已采纳 wrong object to get value , when you are submitting GET request method="GET" $newPassword=$_POS
How can I prevent SQL-injection in PHP?
2016-03-11 14:25

happygogf的博客 2788down votefavorite 2528 If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_
（php，mysql）根据同一db中另一个表中的属性显示一个MySQL表的结果[duplicate] mysql php
2017-06-21 16:04

回答 1 已采纳 You can use % on either side of the search string and use LOWER for case insensitive matching, e.g
从php / mysql自动完成中获取价值 ajax jquery mysql php
2015-05-29 10:49

回答 1 已采纳 You will need to output the individual cities in an element rather than just separated by <br&g
良好的PHP文本分页 ajax javascript php
2009-04-29 15:54

回答 4 已采纳 If it doesn't need to be exact there's no reason you can't use a simple word count function to det
Data Exfiltration via Blind OS Command Injection
2015-11-18 12:23

weixin_34377065的博客 Applications that send an email to a user supplied address, Enterprise Server Monitoring applications that return system health information, Applications that use 3rd party tools to generate ...
安全地提取目录内容将PHP和使用JQuery读取它们？ javascript jquery php xss
2015-01-05 05:07

回答 1 已采纳 Yes, this is perfectly safe. You will just need to ensure the security is part of the php code whe
mysqli_stmt :: bind_param（）：类型定义字符串中的元素数与绑定变量警告数不匹配 php sql
2015-03-29 12:50

回答 1 已采纳 you appear to be mixing PDO syntax with MySQLi syntax. Please read up on http://wiki.hashphp.org
为什么reCAPTCHA只出现在某些计算机/浏览器上？ html php
2014-07-29 21:02

回答 1 已采纳 Check the following, maybe you spot the reason: disable any advertisment blocking extensions, if
MySQL: Secure Web Apps - SQL Injection techniques
2015-07-01 18:12

wrflovecy的博客 asked to me by email how to find/to prevent SQL Injection flaws in their codes. Yes, we could say that this is the second part of my first paper regarding PHP flaws (PHP Underground Security...
如何防止javascript代码被盗？ javascript php
2013-03-02 09:34

回答 7 已采纳 You can only try to make it less readable (through minifiaction and obfuscation), but the code is
【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统
2022-03-23 16:25

Fighting_hawk的博客目录 1 概述 2 域名、子域名、IP信息收集 3 端口扫描 3.1 扫描过程 3.2 小结 ......php /drupal7/themes/~%3F%3F%3F.html /drupal7/themes/~%3F%3F%3F.txt /drupal7/themes/~%3F%3F%3F.php /drupal7/misc/~%3F%3F%3F.txt /...
webgoat- XML External Entity-XXE-XML实体注入
2023-11-01 19:10

测试-东方不败之鸭梨的博客 Again same exercise but try to perform the same XML injection as we did in the first assignment. 如图接口，body为json格式，但是如果修改为xml格式呢？在burpsuite里，将修改Content-Type: application/xml...
xxe测试（owasp）
2021-03-08 23:31

流口水的柠檬精的博客 XML External Entity (XXE) Prevention Cheat Sheet （最后一点略了）工具 XML Injection Fuzz Strings (from wfuzz tool) 个人小总结个人感觉测试内容主要就是通过各种特殊字符测试是否会报错，特殊字符包括单...
【应用安全编码规范】---模板
2022-11-01 10:28

莫慌搞安全的博客举例来说，应用程序可能只允许用户选择四位数字的 accountID 来进行操作，该应用系统应该假设用户会输入 SQL injection 的恶意攻击，并且做数据输入的检查来确认该数据是否为四位数字而且输入的字符只有数字。...
渗透测试 ( 5 ) --- 扫描之王 nmap、渗透测试工具实战技巧合集
2022-07-02 23:57

擒贼先擒王的博客 Nmap 是一款开源免费的网络发现（Network Discovery）和安全审计（Security Auditing）工具。软件名字 Nmap 是Network Mapper 的简称。Nmap 最初是由Fyodor在1997年开始创建的。随后在开源社区众多的志愿者参与下，...
mysql pdo教程_(唯一合适) PDO 教程
2021-01-27 17:36

Mac老朱的博客它如此重要的原因在The Hitchhiker's Guide to SQL Injection prevention.有详细的解释. 对于运行的查询, 如果至少使用一个变量, 你必须使用占位符替换它. 准备执行语句, 然后分别传入变量执行. 长话短说, 它不像...
没有解决我的问题, 去提问

悬赏问题

¥15 关于#c##的问题：最近需要用CAT工具Trados进行一些开发
¥15 南大pa1 小游戏没有界面，并且报了如下错误，尝试过换显卡驱动，但是好像不行
¥15 没有证书，nginx怎么反向代理到只能接受https的公网网站
¥50 成都蓉城足球俱乐部小程序抢票
¥15 yolov7训练自己的数据集
¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)（相关搜索：51单片机|单片机|测试代码）
¥15 电力市场出清matlab yalmip kkt 双层优化问题
¥30 ros小车路径规划实现不了，如何解决？(操作系统-ubuntu)
¥20 matlab yalmip kkt 双层优化问题
¥15 如何在3D高斯飞溅的渲染的场景中获得一个可控的旋转物体

PHP Email Injection Prevention

3条回答 默认 最新

悬赏问题

3条回答默认最新