This site is hosted and sponsored by hyve.com specialists in Cloud Hosting UK and VMware Hosting. If you are interested in our services please call us for chat on 0800 612 2524

How to avoid PHP Email Injection Hack#

An email injection hack occurs when a email form allows a hacker to add CC and/or BCC email addresses to the header of the email. This can occur if a form simply adds the from address field of a form to the header parameter of the mail function.

e.g.

$header="From: xxx@xxx.com" ;

Could be replaced with

$header="From: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com" ;

The $from variable below may be assigned the form parameter. You can see below that if a hacker added \r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com" to the $from valiable, the email would be sent to all the email addresses.

$email  = trim($_POST['email']);
$headers  = "From: $from\r\n";
$headers .= "Content-type: text/html";
mail($to, $subject, $message, $headers);

The solution is to strip out any \r\n characters in code using the code below:

$email  = trim($_POST['email']);

#ADD THIS LINE TO STRIP OUT ALL \r\n characters
$from = preg_replace('/[\n|\r].*/', '', $from);

$headers  = "From: $from\r\n";
$headers .= "Content-type: text/html";
mail($to, $subject, $message, $headers);