May 1st, 2008
How to Create Feedback Form in PHP - Part IV
How to Block Spammers to Misuse Feedback Form
As we may all noticed many websites no longer post their webmaster’s email addresses preferring instead to put up a contact or feedback form. Without the plethora of email addresses to harvest from websites, spammers have turned to using such feedback form scripts to send spam instead. As we are writing our own feedback form script, it is important that we write our script in such a way so as to prevent spammers from hijacking the script to spam others.
Understanding Spammers Way of Working
A PHP script that sends email, as we created sendmail.php in previous tutorials typically calls on the mail() function to deliver the email. For example, the code for such a script might look like the following.
1 2 | mail( "yourname@example.com", "Feedback Form Results", $message, "From: $email" ); |
The code above sends the message to yourname@example.com, which is presumably the webmaster’s address. The sender’s address is set to the information contained in the $email variable, which is typically obtained from the web form.
If the script takes no effort to sanitize the $email variable before calling mail(), believe me it’s very easy for a spammer to inject additional headers into the email messages by placing lines like the following into the $email variable.
1 2 3 4 | some-email-address@example.com CC: another-email-address@example.com, yet-another-email-addresses@example.com, etc-etc@example.com |
The PHP mail() function will dumbly insert those lines into the header of the email message, and pass it along to the mail transport agent, which in turns delivers the mail to everyone on that list. Your script has thus been hijacked to do the spammer’s bidding.
How to Prevent Spammers From Email Injection
To prevent email injection of the feedback form which we are using in our tutorial, it is important that we check the information which we are receiving from the $email variable. There are many ways you can look out for attempts to insert email headers into your scripts:
1 2 3 4 5 | if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) { // Write here code to display error message to user } |
$name contains the visitor’s name, and $email holds the visitor’s email address. A function called ereg() is called to find out if the contents of those two variables include the new line characters. New line characters, like the carriage return (”\r” in PHP) and line feed (”\n” in PHP), create a new line in the email headers, which allows the formation of a new “cc:” line. If the code above detects that there are new line characters, the user is directed to an error page.
Now add the above code in sendmail.php I intentionally left this for your homework but don’t work just try it, if you face any problem then let me know. But I request first please try so that it makes you more confident and comfortable with PHP.
Avoid this security hole in your PHP scripts that send mail by making sure that everything that goes into the email headers generated by your script is checked for potentially problematic characters like the above. Otherwise, your script might inadvertently be abused to send spam to others without your knowing.
May 3rd, 2008 at 4:49 am
thanks for visiting my OnlineBiz and Resources Blog. i left you a message by the way at blog catalog. thanks!!!
May 4th, 2008 at 2:19 am
I’m so sorry Pinay but I didn’t get it what you said !
May 4th, 2008 at 5:09 am
Hey Jim, She is my friend Pinay
This is for me