PHP's mail function

software development

#1

I made a contact page and I just found out it is not secure enough (yet). Does any one know if there is a header or some thing I can pass to make sure someone does not try to make it a multipart email or worse.
I found an email to me that used a long subject line that added a multipart section and a bcc.
I did not know this could happen in the subject area.
What would you recommend on tightening up my input fields.
I am currently using a htmlentities plus a trim and I check to make sure all fields have data.
Other than that I am wide open for attack. I guess I have newbie written across my forehead. :slight_smile:
One thing I did add was sending the remote ip addess, which allowed me to block the offenders.
Silk


#2

Simplest fix is to NEVER include anything that was submitted in the form in the message headers. This includes names, email addresses, or other stuff. In other words, do something like this in Perl:

[code]# pre-defined message subjects

my %subjects = (
‘general’ => ‘General Correspondence’,
‘error’ => ‘Web Site Error’,
‘solicitation’ => ‘Business Oppurtunity’
);

obtain form value

my $subject_key = $query->param(‘subject’);

specify default message subject

my $subject_value = ‘Unspecified Subject’;

set message subject if form value provided is valid

if (exists $subjects{$subject_key}) {
$subject_value = $subjects{$subject_key};
}[/code]Also, instead of just passing the data through to htmlentities and trim, report an error to the visitor if the data is bad. I’m not aware of any reason a message header should have ASCII characters less than 32 in it, for example:

[code]if ($form_value =~ /[\x00-\x1f]/) {

A control character (ASCII 0 throuh 31) was present.

print “There was an error: Invalid input.”
}[/code]Either that, or provide a preview page, eg:

From: visitor_name <visitor_email>
To: yourdomain.com
Subject: visitor_subject

visitor_message

That way the visitor will see that you are filtering the input.

:cool: Perl / MySQL / HTML+CSS


#3

Thats a thought, I could keep all of their data in the body, as there really is no reason to keep the information in the header.
But I thought, if the email was text only , that the content type could not be changed. But I guess I was wrong.
Silk