php script to avoid header injection and spam

[Jakie]

Hello , Iam copying the code I have, its a php code and the html Form to be able to send a Contact Form, since I had been twice victim of header injection, I would like to know if somebody can give me a hand on this code, I am not a programmer so its hard for me .... I would like to know if all input data is validated on the server side (I have also validated with javascript the client side):

<?php
if(isset($_POST['boton'])){
if($_POST['nombre'] == ''or !preg_match('/^[a-z0-9()\/\'":\*+|,.; \- !?&#$@]{2,75}$/i',$_POST['nombre'])){
$errors[1] = '<span class="error">Ingrese su nombre</span>';
}else if($_POST['email'] == '' or !preg_match('/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i',$_POST['email'])){
$errors[2] = '<span class="error">Ingrese un email correcto</span>';
}else if($_POST['asunto'] == ''){
$errors[3] = '<span class="error">Ingrese un asunto</span>';
}else if($_POST['mensaje'] == ''){
$errors[4] = '<span class="error">Ingrese un mensaje</span>';
}else{
$dest = "my@example.com"; //Email de destino
$nombre = $_POST['nombre'];
$email = $_POST['email'];
$asunto = $_POST['asunto']; //Asunto
$cuerpo = $_POST['mensaje']; //Cuerpo del mensaje
//Cabeceras del correo
$headers = "From: $nombre $email\r\n"; //Quien envia?
$headers .= "X-Mailer: PHP5\n";
$headers .= 'MIME-Version: 1.0' . "\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; //
if(mail($dest,$asunto,$cuerpo,$headers)) {
$result = '<div class="result_ok">Gracias !! Email enviado correctamente</div>';
// si el envio fue exitoso reseteamos lo que el usuario escribio:
$_POST['nombre'] = '';
$_POST['email'] = '';
$_POST['asunto'] = '';
$_POST['mensaje'] = '';
}else{
$result = '<div class="result_fail">Hubo un error al enviar el mensaje</div>';
}
}
}
function safe( $nombre ) {
return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $nombre ) );
}

?>
<form class='contacto' method='POST' action=''>
<div><label>Tu Nombre:</label><input type='text' class='nombre' name='nombre' value='<?php echo $_POST['nombre']; ?>'><?php echo $errors[1] ?></div>
<div><label>Tu Email:</label><input type='text' class='email' name='email' value='<?php echo $_POST['email']; ?>'><?php echo $errors[2] ?></div>
<div><label>Asunto:</label><input type='text' class='asunto' name='asunto' value='<?php echo $_POST['asunto']; ?>'><?php echo $errors[3] ?></div>
<div><label>Mensaje:</label><textarea rows='6' class='mensaje' name='mensaje'><?php echo $_POST['mensaje']; ?></textarea><?php echo $errors[4] ?></div>
<div><input type='submit' value='Envia Mensaje' class='boton' name='boton'></div>
<?php echo $result; ?>
</form>

[Jakie]

HI,
I have erase this in the above code:
function safe( $nombre ) {
return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $nombre ) );
}
and have added this:

// All the values that go in the 'headers' parameter should be checked to see whether it contains \r or \n
function IsInjected($str)
{
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);

$inject = join('|', $injections);
$inject = "/$inject/i";

if(preg_match($inject,$str))
{
return true;
}
else
{
return false;
}
}

if(IsInjected($visitor_email))
{
echo "Bad email value!";
exit;
}

The form works ok, I tested, but not sure if its protected against Header Injections. I have read somewhere that you only have to vaidate the fields in the header, and other place where say have to validate all fiels inside the mail() function. I deeply appreciate some help ! thanks

[techie]

Thanks jackie to share how to php script use to avoid header injection and spam.......vbulletin-smile.gif

[martin86]

I also check all fields for "MIME-Version:", "Content-Type" and "@mydomain.com" because these are often used in spamming attempts (both header injection and advertisements).