PDA

View Full Version : How can i prevent php injection?


gavimobile
04-28-2008, 12:16 AM
folks i have completed a email script (thanks lex).
my script was taken from w3schools, however the next lesson they provided me how to take this email script and prevent any php injection!
Ive already intergrated the script in to my old and and i tested it. The mailing part works, however im not sure if the prevention of php injection has been applied to my script yet what changes must i make to the script to prevent php injection.

<?php

require_once("../includes/config.php");

$query = sprintf("SELECT * FROM adm WHERE adm_id=$getemail");
$results = @mysql_query($query);
$row = @mysql_fetch_array($results);

?>
<html>
<body>
<?

function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);

//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}


if (isset($_REQUEST['email']))
{//if "email" is filled out, proceed

//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo "Invalid input";
}
else


{ //send email
mail( $adm_email, "Subject: $subject",
$message, "From: $email" );
}
}
else
{//if "email" is not filled out, display the form

?>

<form method="post" action="../includes/scripts/contact_user_script.php">
Your Name: <input name="sender_name" type="text" /><br />
Email: <input name="email" type="text" /><br />
Subject: <input name="subject" type="text" /><br />
Message: <br /><textarea name="message" rows="15" cols="40"></textarea><br />
<input type="submit" />
<input type="hidden" name="to" value="<?php echo $row['adm_email']; ?>" />
</form>

<?
}
?>

</body>
</html>

nanny
04-28-2008, 03:18 AM
I use this for the message body:

if (!empty($messageBody)) {
$type = '/(%0A|%0D|\n+|\r+)(content-type:|to:|cc:|bcc:|MIME-Version:|Content-Transfer-Encoding:)/i';
if (preg_match($type, trim($_POST['message']))) {
$error['message'] = 'Sorry you can not place that for a message';
}
}

gavimobile
04-28-2008, 05:08 AM
I use this for the message body:

if (!empty($messageBody)) {
$type = '/(%0A|%0D|\n+|\r+)(content-type:|to:|cc:|bcc:|MIME-Version:|Content-Transfer-Encoding:)/i';
if (preg_match($type, trim($_POST['message']))) {
$error['message'] = 'Sorry you can not place that for a message';
}
}



hrm thanks for the speddy reply nanny, im not sure what your trying to show me here. Will this prevent me from getting injected?

lux
04-28-2008, 08:09 AM
What your referring to is a SQL Injection Attack

http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

To prevent an attack look to restrict user input where possible when they enter / submit information. Then check / sanitize the submitted information.

The mysql_real_escape_string() function will be your friend in this area so make sure you use it.

Test the users input thoroughly e.g. check type, length, certain combinations etc.

Google search and have a read of different examples people offer and convert the examples where possible to meet your needs.

pete
04-28-2008, 11:58 AM
First of all you need to remove your script immediately from any web server it may be on that is accessible to the public and/or spam
bots. Not only is $_POST['subject'] open to a PHP mail injection attack (see http://www.securephpwiki.com/index.php/Email_Injection ) but you have the 'to' email in a hidden form field that anyone can change.

You need to fully understand the security implications before writing PHP. Google for 'PHP mail injection attack'. Get a book on PHP security.

Spammers who exploit forms do not manually submit them, they use spambots and then use curl to fire off thousands of emails a minute.