PHP Email Injection Prevention

Below is the code I'm using for a simple contact form. It seems our code is being manipulated and someone is using the contact form for email injection. I'm relatively new to PHP and I've tried researching online but currently I'm having no joy.

Does anyone have some advice?

<?php

// get posted data into local variables
$EmailFrom = Trim(stripslashes($_POST['EmailFrom'])); 
$EmailTo = "email@email.com";
$Subject = "subject";
//$Title = Trim(stripslashes($_POST['Title'])); 
$First = Trim(stripslashes($_POST['First'])); 
//$Surname = Trim(stripslashes($_POST['Surname']));
//$Company = Trim(stripslashes($_POST['Company']));
//$Address = Trim(stripslashes($_POST['Address']));
//$Address2 = Trim(stripslashes($_POST['Address2']));
//$Address3 = Trim(stripslashes($_POST['Address3']));
//$Area = Trim(stripslashes($_POST['Area']));
//$County = Trim(stripslashes($_POST['County']));
//$Postcode = Trim(stripslashes($_POST['Postcode']));
$Telephone = Trim(stripslashes($_POST['Telephone']));
//$Fax = Trim(stripslashes($_POST['Fax']));
$EmailFrom = Trim(stripslashes($_POST['EmailFrom'])); 
$AmountOwed = Trim(stripslashes($_POST['AmountOwed']));
$ip = Trim(stripslashes($_POST['ip']));
//$Marketing = Trim(stripslashes($_POST['Marketing'])); 
//$Contact = Trim(stripslashes($_POST['Contact'])); 
$Details = Trim(stripslashes($_POST['Details'])); 

// validation
$validationOK=true;
if (Trim($EmailFrom)=="Your email: (required)") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
  exit;
};
if (Trim($Telephone)=="Your Telephone: (required)") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
  exit;
};
if (Trim($First)=="Your name: (required)") $validationOK=false;
if (!$validationOK) {
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
  exit;
}

// prepare email body text
$Body = "";
//$Body .= "Title: ";
//$Body .= $Title;
//$Body .= "
";
$Body .= "First: ";
$Body .= $First;
$Body .= "
";
//$Body .= "Surname: ";
//$Body .= $Surname;
//$Body .= "
";
//$Body .= "Company: ";
//$Body .= $Company;
//$Body .= "
";
//$Body .= "Address: ";
//$Body .= $Address;
//$Body .= "
";
//$Body .= "Address2: ";
//$Body .= $Address2;
//$Body .= "
";
//$Body .= "Address3: ";
//$Body .= $Address3;
//$Body .= "
";
//$Body .= "Area: ";
//$Body .= $Area;
//$Body .= "
";
//$Body .= "County: ";
//$Body .= $County;
//$Body .= "
";
//$Body .= "Postcode: ";
//$Body .= $Postcode;
//$Body .= "
";
$Body .= "Telephone: ";
$Body .= $Telephone;
$Body .= "
";
//$Body .= "Fax: ";
//$Body .= $Fax;
//$Body .= "
";
$Body .= "EmailFrom: ";
$Body .= $EmailFrom;
$Body .= "
";
$Body .= "AmountOwed: ";
$Body .= $AmountOwed;
$Body .= "
";
$Body .= "ip: ";
$Body .= $ip;
$Body .= "
";
//$Body .= "Marketing: ";
//$Body .= $Marketing;
//$Body .= "
";
//$Body .= "Contact: ";
//$Body .= $Contact;
//$Body .= "
";
$Body .= "Details: ";
$Body .= $Details;
$Body .= "
";

// send email 
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");

// redirect to success page 
if ($success){
  print "<meta http-equiv=\"refresh\" content=\"0;URL=thankyou.php\">";
}
else{
  print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
}
?>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

3条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dtq26360 2015-11-04 13:42
关注
I would start by looking over http://securephpwiki.com/index.php/Email_Injection#Using_php_mail.28.29_function to get an idea of what's actually happening.

On the input, validate that the inputs, for example check the input email is actually an email address:

if (!filter_var($EmailFrom, FILTER_VALIDATE_EMAIL)) { // This isn't actually an email address }
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

带有Recaptcha v2的PHP表单 - 表单刷新而不提交 php
2018-07-05 13:55

回答 1 已采纳 Remove the enctype="text/plain" attribute from your form and the form should submit. You can let i
防止php注入[重复] php
2013-10-25 23:50

回答 1 已采纳 This is not a problem, since the user data is the value of a string. It's no different from saying
使用PHP中的$ _request变量进行数据库更新 mysql php
2016-03-31 23:03

回答 1 已采纳 wrong object to get value , when you are submitting GET request method="GET" $newPassword=$_POS
How can I prevent SQL-injection in PHP?
2016-03-11 14:25

happygogf的博客 2788down votefavorite 2528 If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_
（php，mysql）根据同一db中另一个表中的属性显示一个MySQL表的结果[duplicate] mysql php
2017-06-21 16:04

回答 1 已采纳 You can use % on either side of the search string and use LOWER for case insensitive matching, e.g
从php / mysql自动完成中获取价值 ajax jquery mysql php
2015-05-29 10:49

回答 1 已采纳 You will need to output the individual cities in an element rather than just separated by <br&g
良好的PHP文本分页 ajax javascript php
2009-04-29 15:54

回答 4 已采纳 If it doesn't need to be exact there's no reason you can't use a simple word count function to det
Data Exfiltration via Blind OS Command Injection
2015-11-18 12:23

weixin_34377065的博客 Applications that send an email to a user supplied address, Enterprise Server Monitoring applications that return system health information, Applications that use 3rd party tools to generate ...
安全地提取目录内容将PHP和使用JQuery读取它们？ javascript jquery php xss
2015-01-05 05:07

回答 1 已采纳 Yes, this is perfectly safe. You will just need to ensure the security is part of the php code whe
mysqli_stmt :: bind_param（）：类型定义字符串中的元素数与绑定变量警告数不匹配 php sql
2015-03-29 12:50

回答 1 已采纳 you appear to be mixing PDO syntax with MySQLi syntax. Please read up on http://wiki.hashphp.org
为什么reCAPTCHA只出现在某些计算机/浏览器上？ html php
2014-07-29 21:02

回答 1 已采纳 Check the following, maybe you spot the reason: disable any advertisment blocking extensions, if
MySQL: Secure Web Apps - SQL Injection techniques
2015-07-01 18:12

wrflovecy的博客 asked to me by email how to find/to prevent SQL Injection flaws in their codes. Yes, we could say that this is the second part of my first paper regarding PHP flaws (PHP Underground Security...
如何防止javascript代码被盗？ javascript php
2013-03-02 09:34

回答 7 已采纳 You can only try to make it less readable (through minifiaction and obfuscation), but the code is
【废了-准备删除02】信息收集——基于WAMP的drupal7.x管理系统
2022-03-23 16:25

Fighting_hawk的博客目录 1 概述 2 域名、子域名、IP信息收集 3 端口扫描 3.1 扫描过程 3.2 小结 ......php /drupal7/themes/~%3F%3F%3F.html /drupal7/themes/~%3F%3F%3F.txt /drupal7/themes/~%3F%3F%3F.php /drupal7/misc/~%3F%3F%3F.txt /...
webgoat- XML External Entity-XXE-XML实体注入
2023-11-01 19:10

测试-东方不败之鸭梨的博客 Again same exercise but try to perform the same XML injection as we did in the first assignment. 如图接口，body为json格式，但是如果修改为xml格式呢？在burpsuite里，将修改Content-Type: application/xml...
xxe测试（owasp）
2021-03-08 23:31

流口水的柠檬精的博客 XML External Entity (XXE) Prevention Cheat Sheet （最后一点略了）工具 XML Injection Fuzz Strings (from wfuzz tool) 个人小总结个人感觉测试内容主要就是通过各种特殊字符测试是否会报错，特殊字符包括单...
【应用安全编码规范】---模板
2022-11-01 10:28

莫慌搞安全的博客举例来说，应用程序可能只允许用户选择四位数字的 accountID 来进行操作，该应用系统应该假设用户会输入 SQL injection 的恶意攻击，并且做数据输入的检查来确认该数据是否为四位数字而且输入的字符只有数字。...
渗透测试 ( 5 ) --- 扫描之王 nmap、渗透测试工具实战技巧合集
2022-07-02 23:57

擒贼先擒王的博客 Nmap 是一款开源免费的网络发现（Network Discovery）和安全审计（Security Auditing）工具。软件名字 Nmap 是Network Mapper 的简称。Nmap 最初是由Fyodor在1997年开始创建的。随后在开源社区众多的志愿者参与下，...
mysql pdo教程_(唯一合适) PDO 教程
2021-01-27 17:36

Mac老朱的博客它如此重要的原因在The Hitchhiker's Guide to SQL Injection prevention.有详细的解释. 对于运行的查询, 如果至少使用一个变量, 你必须使用占位符替换它. 准备执行语句, 然后分别传入变量执行. 长话短说, 它不像...
没有解决我的问题, 去提问

悬赏问题

¥15 虚幻5 UE美术毛发渲染
¥15 CVRP 图论物流运输优化
¥15 Tableau online 嵌入ppt失败
¥100 支付宝网页转账系统不识别账号
¥15 基于单片机的靶位控制系统
¥15 真我手机蓝牙传输进度消息被关闭了，怎么打开？(关键词-消息通知)
¥15 装 pytorch 的时候出了好多问题，遇到这种情况怎么处理？
¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
¥15 手机接入宽带网线，如何释放宽带全部速度
¥30 关于#r语言#的问题：如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测

PHP Email Injection Prevention

3条回答 默认 最新

悬赏问题

3条回答默认最新