Preventing PHP injection headers

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Preventing PHP injection headers

Postby phpsounds » Wed Feb 15, 2012 7:26 am

Hi folks

I'll admit it right up front that I'm a complete newbie and am having trouble. I have tried seraching for the answer to this and get the concept but can't make it work. I've just set up a form and understand that filtering out certain characters to prevent spamming and injection of headers is the wise thing to do. I've tried various bits of code but it's just not happening. If anyone could be so kind as to post back the full code including the below so I can see where it goes and what variables are used, I'd be very grateful. Any other tips on things to implement along these lines would be appreciated too (thinking of using a Captcha on the form page, but one step at a time...). Thanks


Syntax: [ Download ] [ Hide ]
<?php
 $to = $_REQUEST['SendTo'] ;
 $from = $_REQUEST['Email'] ;
 $namefirst = $_REQUEST['NameFirst'] ;
 $namelast = $_REQUEST['NameLast'] ;
 $headers = "From: $from";
 $subject = "Enquiry";
 
 $fields = array();
 $fields{"NameFirst"} = "First Name";
 $fields{"NameLast"} = "Last Name";
 $fields{"Firm"} = "Firm";
 $fields{"City"} = "City";
 $fields{"Email"} = "Email Address";
 $fields{"Phone"} = "Phone Number";
 $fields{"Message"} = "Message";

 $body = "The following information has been submitted via the website:\n\n"; foreach($fields as $a => $b){     $body .= sprintf("%20s: %s\n\n",$b,$_REQUEST[$a]); }
 
 $headers2 = "From: email@email.com";
 $subject2 = "Thank you for your enquiry";
 $autoreply = "We have received your enquiry. You will receive a phone call or email from me shortly.\n\nWith kind regards,\n\nOwner";
 
 $send = mail($to, $subject, $body, $headers);
 $send2 = mail($from, $subject2, $autoreply, $headers2);
 if($send)
 {header( "Location: http://www.test.com/contact_submitted.htm" );}
 else
 {print "We encountered an error sending your mail, please notify webmaster@test.com"; }
 ?>
phpsounds
Forum Newbie
 
Posts: 11
Joined: Wed Feb 15, 2012 7:15 am

Re: Preventing PHP injection headers

Postby social_experiment » Wed Feb 15, 2012 9:45 am

“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
 
Posts: 2775
Joined: Sun Feb 15, 2009 12:08 pm
Location: .za

Re: Preventing PHP injection headers

Postby phpsounds » Wed Feb 15, 2012 11:32 am

Thanks. That's the kind of code I've been playing with. I can make it strip out the characters after the $body is defined but how do I apply it to the array - which I think I should be doing?

I'm sorry, this is probably very basic stuff and I do intend to get the basics understood asap, but clearly I'm stumbling right now. Thanks for the help.
phpsounds
Forum Newbie
 
Posts: 11
Joined: Wed Feb 15, 2012 7:15 am

Re: Preventing PHP injection headers

Postby social_experiment » Wed Feb 15, 2012 4:34 pm

Syntax: [ Download ] [ Hide ]
<?php
 $fields = array();
 $fields{"NameFirst"} = "First Name";
 $fields{"NameLast"} = "Last Name";
 $fields{"Firm"} = "Firm";
 $fields{"City"} = "City";
 $fields{"Email"} = "Email Address";
 $fields{"Phone"} = "Phone Number";
 $fields{"Message"} = "Message";

foreach ($fields as $key => $value) {
    $cleanField[] = sanitizeFunction($value);
}
?>

You can look through the array like you do when creating the body of the message; sanitizeFunction() will be something like the example in url which will sanitize each of the values. Once this is done you continue as normal passing $cleanField to the next foreach loop as opposed to $fields
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
 
Posts: 2775
Joined: Sun Feb 15, 2009 12:08 pm
Location: .za

Re: Preventing PHP injection headers

Postby phpsounds » Wed Feb 15, 2012 5:53 pm

I have a headache... I figured when I saw the last post "oh makes perfect sense", but the result of the below code is no user submitted info coming through on the email. It's like everything is stripped out or the variable being used is empty. Clearly I have far to go, but one last helping hand? Thanks again

Syntax: [ Download ] [ Hide ]
 $fields = array();
 $fields{"NameFirst"} = "First Name";
 $fields{"NameLast"} = "Last Name";
 $fields{"Firm"} = "Firm";
 $fields{"City"} = "City";
 $fields{"Email"} = "Email Address";
 $fields{"Phone"} = "Phone Number";
 $fields{"Message"} = "Message";
 
 function sanitizeFunction($string) {
        return  preg_replace( '((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' , '', $string );
    }

 foreach ($fields as $key => $value) {
     $cleanField[] = sanitizeFunction($value);
 }
 
 $body = "The following information has been submitted via the website:\n\n"; foreach($cleanField as $a => $b){         $body .= sprintf("%20s: %s\n\n",$b,$_REQUEST[$a]); }
phpsounds
Forum Newbie
 
Posts: 11
Joined: Wed Feb 15, 2012 7:15 am

Re: Preventing PHP injection headers

Postby social_experiment » Wed Feb 15, 2012 6:08 pm

Syntax: [ Download ] [ Hide ]
 $fields{"NameFirst"} = "First Name";

Try changing the curly braces to square brackets; { to [ and } to ], currently i don't think the values are being assigned to the array $fields
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
 
Posts: 2775
Joined: Sun Feb 15, 2009 12:08 pm
Location: .za

Re: Preventing PHP injection headers

Postby phpsounds » Wed Feb 15, 2012 6:44 pm

Nope. I now have the below. Changed the curly to square, tested without the function and the info came through. Put in the sanitizing exactly as below and no data comes through, just the data labels...

Syntax: [ Download ] [ Hide ]
$fields = array();
 $fields["NameFirst"] = "First Name";
 $fields["NameLast"] = "Last Name";
 $fields["Firm"] = "Firm";
 $fields["City"] = "City";
 $fields["Email"] = "Email Address";
 $fields["Phone"] = "Phone Number";
 $fields["Message"] = "Message";
 
 function sanitizeFunction($string) {
         return  preg_replace( '((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' , '', $string );
     }
 
 foreach ($fields as $key => $value) {
      $cleanField[] = sanitizeFunction($value);
  }
 
 $body = "The following information has been submitted via the website:\n\n"; foreach($cleanField as $a => $b){         $body .= sprintf("%20s: %s\n\n",$b,$_REQUEST[$a]); }
phpsounds
Forum Newbie
 
Posts: 11
Joined: Wed Feb 15, 2012 7:15 am

Re: Preventing PHP injection headers

Postby social_experiment » Thu Feb 16, 2012 1:46 am

Syntax: [ Download ] [ Hide ]
<?php
foreach ($fields as $key => $value) {
      $cleanField[] = sanitizeFunction($_POST[$value]);
 }
?>

Try modifying the sanitize function like above; Until you mentioned the labels i wondered how you passed the data along; Note that if you use a value in your form like 'Phone Number' it's possible that you will not get the data passed from the form (if you have error reporting enabled this will show up as a notice: Undefined Index"); opt for PhoneNumber or anything that doesn't contain a space.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
 
Posts: 2775
Joined: Sun Feb 15, 2009 12:08 pm
Location: .za

Re: Preventing PHP injection headers

Postby phpsounds » Thu Feb 16, 2012 2:10 pm

Sorry, still not working. I've included below the html form on the contact.htm page. This calls contact.php as the action. The full php code is under that. The addition of the POST as suggested resulted in all the labels being stripped and just city and firm data showing up as labels in the received email. I appreciated all the time being donated re this.

Syntax: [ Download ] [ Hide ]
<form method="post" action="contact.php">
<input type="hidden" name="SendTo" value="test@test.com" />
<table width="675" border="0" cellspacing="5" cellpadding="0">
  <tr>
    <td width="110">First Name:</td>
    <td width="262"><input type="text" size=25 name="NameFirst"></td>
    <td width="119">Last Name:</td>
    <td width="159"><input type="text" size=25 name="NameLast"></td>
  </tr>
  <tr>
    <td>Firm:</td>
    <td><input type="text" size=25 name="Firm"></td>
    <td>City:</td>
    <td><input type="text" size=25 name="City"></td>
  </tr>
  <tr>
    <td>Email Address:</td>
    <td><input type="text" size=25 name="Email"></td>
    <td>Phone:</td>
    <td><input type="text" size=25 name="Phone"></td>
  </tr>
  <tr>
    <td>Message:</td>
    <td colspan="3"><textarea name="Message" rows=5 cols=68></textarea></td>
  </tr>
  <tr>
    <td></td>
</table>
</form>



Syntax: [ Download ] [ Hide ]
<?php
 $to = $_REQUEST['SendTo'] ;
 $from = $_REQUEST['Email'] ;
 $namefirst = $_REQUEST['NameFirst'] ;
 $namelast = $_REQUEST['NameLast'] ;
 $headers = "From: $from";
 $subject = "Mediation Enquiry";
 
 $fields = array();
 $fields["NameFirst"] = "FirstName";
 $fields["NameLast"] = "LastName";
 $fields["Firm"] = "Firm";
 $fields["City"] = "City";
 $fields["Email"] = "EmailAddress";
 $fields["Phone"] = "PhoneNumber";
 $fields["Message"] = "Message";
 
 function sanitizeFunction($string) {
         return  preg_replace( '((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' , '', $string );
     }
 
 foreach ($fields as $key => $value) {
       $cleanField[] = sanitizeFunction($_POST[$value]);
  }
 
 $body = "The following information has been submitted via the website:\n\n"; foreach($cleanField as $a => $b){         $body .= sprintf("%20s: %s\n\n",$b,$_REQUEST[$a]); }

 $headers2 = "From: test@test.com";
 $subject2 = "Thank you for your enquiry";
 $autoreply = "We have received your enquiry. You will receive a phone call or email from me shortly.\n\nWith kind regards,\n\nOwner";
 
 $send = mail($to, $subject, $body, $headers);
 $send2 = mail($from, $subject2, $autoreply, $headers2);
 if($send)
 {header( "Location: http://www.test.com/contact_submitted.htm" );}
 else
 {print "We encountered an error sending your mail, please notify webmaster@test.com"; }
?>
phpsounds
Forum Newbie
 
Posts: 11
Joined: Wed Feb 15, 2012 7:15 am

Re: Preventing PHP injection headers

Postby social_experiment » Thu Feb 16, 2012 4:38 pm

Syntax: [ Download ] [ Hide ]
<?php
$fields = array(
        'NameFirst',
        'NameLast',
        'Firm',
        'City',
        'Email',
        'Phone',
        'Message',
 );
 
 function sanitizeFunction($string) {
         return  preg_replace( '((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' , '', $string );
     }
 
 foreach ($fields as $value) {
       $cleanField[$value] = sanitizeFunction($_POST[$value]);
  }
 
 $body = "The following information has been submitted via the website:\n\n"; foreach($cleanField as $a => $b){         $body .= sprintf("%20s: %s\n\n",$a,$b); }
?>

Tested this code and it works; The problem was likely with the $cleanField foreach loop; Note that if you use $_REQUEST[$a] in the sprintf function you will be using data that has not been sanitized by the sanitizeFunction() function.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
 
Posts: 2775
Joined: Sun Feb 15, 2009 12:08 pm
Location: .za


Return to PHP - Code

Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 8 guests