How to avoid PHP Email Injection Hack#

An email injection hack occurs when a email form allows a hacker to add CC and/or BCC email addresses to the header of the email. This can occur if a form simply adds the from address field of a form to the header parameter of the mail function.

e.g.

$header="From: xxx@xxx.com" ;

Could be replaced with

$header="From: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com" ;

The $from variable below may be assigned the form parameter. You can see below that if a hacker added \r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com\r\nBCC: xxx@xxx.com" to the $from valiable, the email would be sent to all the email addresses.

$email  = trim($_POST['email']);
$headers  = "From: $from\r\n";
$headers .= "Content-type: text/html";
mail($to, $subject, $message, $headers);

The solution is to strip out any \r\n characters in code using the code below:

$email  = trim($_POST['email']);

#ADD THIS LINE TO STRIP OUT ALL \r\n characters
$from = preg_replace('/[\n|\r].*/', '', $from);

$headers  = "From: $from\r\n";
$headers .= "Content-type: text/html";
mail($to, $subject, $message, $headers);