By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,967 Members | 1,684 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,967 IT Pros & Developers. It's quick & easy.

header injection in mail

P: n/a
I'm writing my php "form mail" script.

Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF? It seems to me it easily could and
should, but does it?

Jeff
Sep 1 '08 #1
Share this Question
Share on Google+
14 Replies


P: n/a
..oO(Jeff)
I'm writing my php "form mail" script.

Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
No. mail() is a rather low-level tool. You are responsible for feeding
it correct data.

BTW: CR and LF are not the only things to worry about in the TO: field.
This header also allows multiple comma-separated mail addresses ...
>It seems to me it easily could and
should, but does it?
May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.

Micha
Sep 1 '08 #2

P: n/a
Michael Fesser wrote:
.oO(Jeff)

> I'm writing my php "form mail" script.

Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?

No. mail() is a rather low-level tool. You are responsible for feeding
it correct data.

BTW: CR and LF are not the only things to worry about in the TO: field.
This header also allows multiple comma-separated mail addresses ...

>It seems to me it easily could and
should, but does it?

May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.

Micha
Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
--
*****************************
Chuck Anderson Boulder, CO
http://www.CycleTourist.com
Nothing he's got he really needs
Twenty first century schizoid man.
***********************************

Sep 1 '08 #3

P: n/a
Michael Fesser wrote:
>.oO(Jeff)

>> I'm writing my php "form mail" script.

Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?

No. mail() is a rather low-level tool. You are responsible for
feeding it correct data.

BTW: CR and LF are not the only things to worry about in the TO:
field. This header also allows multiple comma-separated mail
addresses ...
>>It seems to me it easily could and
should, but does it?

May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get
easier. Micha

Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
Well, with hype like :

" strategies to get your emails past spam checkers, and specifications
for popular servers.
... more "

on their opening page, I'd say they should be drilled into the ground
until they meet lava and than another quarter mile just for good
measure. That soured me on them pretty quickly - they're spammer
friendly and the only good spammer is a dead spammer.

Sep 2 '08 #4

P: n/a
Twayne wrote:
>Michael Fesser wrote:
>>.oO(Jeff)

I'm writing my php "form mail" script.

Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
No. mail() is a rather low-level tool. You are responsible for
feeding it correct data.

BTW: CR and LF are not the only things to worry about in the TO:
field. This header also allows multiple comma-separated mail
addresses ...

It seems to me it easily could and
should, but does it?
May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get
easier. Micha

Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?

Well, with hype like :

" strategies to get your emails past spam checkers, and specifications
for popular servers.
... more "

on their opening page, I'd say they should be drilled into the ground
until they meet lava and than another quarter mile just for good
measure. That soured me on them pretty quickly - they're spammer
friendly and the only good spammer is a dead spammer.

You misunderstand. ISP mail servers have become more stringent about
requiring certain protocols. Phpmailer is assuring you that it will get
you through all the proper protocols, not that it will perpetrate deception.

--
*****************************
Chuck Anderson Boulder, CO
http://www.CycleTourist.com
Nothing he's got he really needs
Twenty first century schizoid man.
***********************************

Sep 2 '08 #5

P: n/a
..oO(Chuck Anderson)
>Michael Fesser wrote:
>>
May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.

Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?
Headers are secured, but the addresses are still your task. There's no
input validation for them in PHPMailer. The script can't know if you
want to use a single address or multiple ones, so you have to check that
yourself before creating the email.

Micha
Sep 2 '08 #6

P: n/a
Michael Fesser wrote:
May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
Does it get past Hotmail's spam filtering?

Sep 2 '08 #7

P: n/a
Michael Fesser wrote:
.oO(Jeff)
> I'm writing my php "form mail" script.

Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?

No. mail() is a rather low-level tool. You are responsible for feeding
it correct data.

BTW: CR and LF are not the only things to worry about in the TO: field.
This header also allows multiple comma-separated mail addresses ...
>It seems to me it easily could and
should, but does it?

May I suggest PHPMailer?
Yes!
>
http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
Certainly looks like a snap to send attachments and multipart. Not easy
in perl!

A few questions though.

Do you have to set the mail transport and host?

why this?:

$body = eregi_replace("[\]",'',$body); // for html

and for plain text do I just need to set word wrap and do:
$mail_instance->Body = $message;?

Jeff
>
Micha
Sep 2 '08 #8

P: n/a
Jeff wrote:
Michael Fesser wrote:
>.oO(Jeff)
>May I suggest PHPMailer?
>
Do you have to set the mail transport and host?
if you want to send via SMTP, yes. That's not set by default.

or instead of isSMTP(), you can send by calling IsSendmail or IsQmail or even
IsMail
>
why this?:

$body = eregi_replace("[\]",'',$body); // for html
good question, why strip backslashes? are they worried about stray \r\n or \n?
and for plain text do I just need to set word wrap and do:
$mail_instance->Body = $message;?
it's just a string, yes. Setting a wordwrap would seem to be up to you.
Sep 2 '08 #9

P: n/a
RJ_32 wrote:
Michael Fesser wrote:
>May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.

Does it get past Hotmail's spam filtering?

Like using the mail() command - if you set your headers up correctly, it
does.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Sep 2 '08 #10

P: n/a
Twayne wrote:
>>Michael Fesser wrote:

.oO(Jeff)

I'm writing my php "form mail" script.
>
Does mail do any checking for header injection in the "to" and
"subject" parameters? CR and/or LF?
>
>
No. mail() is a rather low-level tool. You are responsible for
feeding it correct data.

BTW: CR and LF are not the only things to worry about in the TO:
field. This header also allows multiple comma-separated mail
addresses ...

It seems to me it easily could and
should, but does it?
>
>
May I suggest PHPMailer?

http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get
easier. Micha
Are you saying PhpMailer filters out comma separated email addrs,
CRLF's, etc., ... from headers?

Well, with hype like :

" strategies to get your emails past spam checkers, and
specifications for popular servers.
... more "

on their opening page, I'd say they should be drilled into the ground
until they meet lava and than another quarter mile just for good
measure. That soured me on them pretty quickly - they're spammer
friendly and the only good spammer is a dead spammer.


You misunderstand. ISP mail servers have become more stringent about
requiring certain protocols. Phpmailer is assuring you that it will
get you through all the proper protocols, not that it will perpetrate
deception.
Maybe; I have a pretty healthy paranoia factor and things like that jump
out at me. Strategies to get me past a spam checker should NOT be a
concern to any legit operation where the person about to receive the ad
knows it's coming. If he doesn't know it's coming, then guess what you
have? If he hasn't gone thru a confirmed optin process to be able to
receive the ad, then guess what the ad is? Let alone the points that
CONTENT is irrelevant to determining what is spam and what is not and
all the rest of it.
I don't necessarily think less of anyone who uses it, but I won't.
And if I get a mail I wasn't expecting and didn't opt into, guess what I
do with it?

Just my 2
Sep 2 '08 #11

P: n/a
..oO(Jeff)
>Michael Fesser wrote:
>>
May I suggest PHPMailer?

Yes!
>>
http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.

Certainly looks like a snap to send attachments and multipart. Not easy
in perl!
Not easy in PHP as well, because with mail() you would have to do it all
by hand.
>A few questions though.

Do you have to set the mail transport and host?
Depends on the used send method. I simply use the default, which uses
PHP's mail() function.
>why this?:

$body = eregi_replace("[\]",'',$body); // for html
Good question. Is it in the code or in an example? It's not in the
versions that I have here, so it seems to be a quite recent change.
>and for plain text do I just need to set word wrap and do:
$mail_instance->Body = $message;?
Yes.

Micha
Sep 2 '08 #12

P: n/a
Michael Fesser wrote:
>why this?:

$body = eregi_replace("[\]",'',$body); // for html

Good question. Is it in the code or in an example? It's not in the
versions that I have here, so it seems to be a quite recent change.

it's in an example, test_gmail.php

as in:
$body = $mail->getFile('contents.html');
$body = eregi_replace("[\]",'',$body);
the entire file is below, let's see how it posts:

<?php

//error_reporting(E_ALL);
error_reporting(E_STRICT);

date_default_timezone_set('America/Toronto');

include("class.phpmailer.php");
//include("class.smtp.php"); // optional, gets called from within
class.phpmailer.php if not already loaded

$mail = new PHPMailer();

$body = $mail->getFile('contents.html');
$body = eregi_replace("[\]",'',$body);

$mail->IsSMTP();
$mail->SMTPAuth = true; // enable SMTP authentication
$mail->SMTPSecure = "ssl"; // sets the prefix to the servier
$mail->Host = "smtp.gmail.com"; // sets GMAIL as the SMTP server
$mail->Port = 465; // set the SMTP port for the GMAIL
server

$mail->Username = "yo**********@gmail.com"; // GMAIL username
$mail->Password = "yourpassword"; // GMAIL password

$mail->AddReplyTo("yo**********@gmail.com","First Last");

$mail->From = "na**@yourdomain.com";
$mail->FromName = "First Last";

$mail->Subject = "PHPMailer Test Subject via gmail";

//$mail->Body = "Hi,<br>This is the HTML BODY<br>";
//HTML Body
$mail->AltBody = "To view the message, please use an HTML compatible email
viewer!"; // optional, comment out and test
$mail->WordWrap = 50; // set word wrap

$mail->MsgHTML($body);

$mail->AddAddress("wh***@otherdomain.com", "John Doe");

$mail->AddAttachment("images/phpmailer.gif"); // attachment

$mail->IsHTML(true); // send as HTML

if(!$mail->Send()) {
echo "Mailer Error: " . $mail->ErrorInfo;
} else {
echo "Message sent!";
}

?>
Sep 2 '08 #13

P: n/a
..oO(RJ_32)
>Michael Fesser wrote:
>>why this?:

$body = eregi_replace("[\]",'',$body); // for html

Good question. Is it in the code or in an example? It's not in the
versions that I have here, so it seems to be a quite recent change.


it's in an example, test_gmail.php
Ah, OK. Actually I've never looked at the examples. I just used some
quick tutorial when I started using the class, the rest was mostly self-
explanatory or simply became clear by doing/trying.
>as in:
$body = $mail->getFile('contents.html');
$body = eregi_replace("[\]",'',$body);
Strange indeed. Can't think of a reason.

Micha
Sep 2 '08 #14

P: n/a
Michael Fesser wrote:
.oO(Jeff)
>Michael Fesser wrote:
>>May I suggest PHPMailer?
Yes!
>>http://phpmailer.codeworxtech.com/

This class does all the things you want and need. It's not that
difficult to get used to it and it works just great. Can't get easier.
Certainly looks like a snap to send attachments and multipart. Not easy
in perl!

Not easy in PHP as well, because with mail() you would have to do it all
by hand.
Hence PHPMailer! The Perl modules to do the equivalent are no walk in
the park.
>
>A few questions though.

Do you have to set the mail transport and host?

Depends on the used send method. I simply use the default, which uses
PHP's mail() function.
What is the default? mail seems to work everywhere I've checked so far
so I'd want that.

The examples I've seen seem to always set something, like:

$mail->IsSMTP();

and then: $mail->Host = '...

Jeff
>
>why this?:

$body = eregi_replace("[\]",'',$body); // for html

Good question. Is it in the code or in an example? It's not in the
versions that I have here, so it seems to be a quite recent change.
>and for plain text do I just need to set word wrap and do:
$mail_instance->Body = $message;?

Yes.

Micha
Sep 2 '08 #15

This discussion thread is closed

Replies have been disabled for this discussion.