0

On the php manual page for mail function, there was a user comment saying "take care to prevent header injection".

In my application, I use the mail function, and the only user input I use as a parameter to the function is the email address.

I do a preliminary check of the email address using the regex ^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$.

Will this also prevent against header injection?

Thanks,
jrh

Improve this question

2 Answers 2

Reset to default
3

Someone would want to inject something like this:

[email protected]
CC: [email protected], [email protected], [email protected]

You do not allow \r\n which is needed for defining new header info. So your application is safe.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Header injection is a risk only if you put user-supplied stuff inside the message headers. One tipical example is using the posted email address to set the Reply-To header.

This is what I use:

$email = preg_replace(array("/\r/i","/\n/i", "/%0a/i", "/%0d/i", "/Content-Type:/i", "/bcc:/i", "/to:/i", "/cc:/i", "/Content\-Transfer\-Encoding\:/i", "/Mime\-Version\:/i" ), "", $email);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.