Nov 7th, 2013 at 11:43 AM

Securing the form against email injection

Spammers are looking for exploitable email forms to send spam emails. They use the form handler script as a ‘relay’. What they do is to submit the form with manipulated form values. To secure our form from such attacks, we need to validate the submitted form data. All the values that go in the ‘headers‘ parameter should be checked to see whether it contains or . The hackers insert these characters and add their own code to fool the function. Here is the code:

<?php
function IsInjected($str){
    $injections = array('(
+)',
           '(
+)',
           '(	+)',
           '(%0A+)',
           '(%0D+)',
           '(%08+)',
           '(%09+)'
           );
                
    $inject = join('|', $injections);
    $inject = "/$inject/i";
     
    if(preg_match($inject,$str)){
      return true;
    } else {
      return false;
    }

}//end function
?>

In general, any value used in the header should be validated using the code above.