I have a PHP driven HTML contact form on my site. Currently I use the PHP mail() function. Because of that I have to do many user input validation to avoid email header injection attacks. I think I'm secure, but I probably forgot something and I want to move to a solid PHP email library. The library I selected is Swiftmailer.
Now I want to check if Swiftmailer address the following:
- Removes or escape
<
and>
characters in sender names. - Removes newlines (
\n
,\r\n
...) from sender names. - Removes or escape newlines from email subject.
- Normalize newlines in message body (the content of the email). As per the PHP docs,
\n
should be used in content and\r\n
as email headers separator.
PS: I tried to contact the Swiftmailer team with my questions without success so I'm trying here.
Edit:
I did some test cases with Swiftmailer and this is what I found so far:
- When you have a
<
or>
in the name of a sender, you get a Undeliverable email error mail. This can somewhat lead in a DOS attack of your mail server (maybe I'm wrong). I开发者_Python百科s this normal?! - The newlines are escaped so the injection attack fails.
- The newlines are escaped so the injection attack fails.
- Tested but I'm unable to see what Swiftmailer do (if it does something). So I'm still in the dark here.
Can someone clarify #1 and #4 for me? I'm not sure if it's normal behavior...
EDIT: This answer may be obsolete. At the time I wrote this, there were some problems with the SwiftMailer library. At this point, everything is working fine with the SwiftMailer
and is considered to be the better library with a lot more to offer than PHPMailer
.
I would suggest you use phpmailer. It is one of the most stable mailing libraries I've ever used. Here's an example code that should be working:
include("./phpmailer/class.phpmailer.php");
$mail = new PHPMailer(false); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP();
$mail->Host = "YourDomainName.com";
$mail->SMTPDebug = 2;
$mail->SMTPAuth = true;
$mail->SMTPSecure = "tls";
$mail->Host = "YourSMTPMailServer.com";
$mail->Port = 587;
$mail->Username = "your-auth-user@yoursmtpmailsercer.com";
$mail->Password = "password"; // GMAIL password
$mail->AddAddress("sendToThis@email.com", '<< >> ! " Receiver Name');
$mail->SetFrom('sendFROMthis@email.com', '<< >> ! " Sender Name');
$mail->Subject = "A testing subject";
$mail->AltBody = 'To view the message, please use an HTML compatible email viewer!';
$mail->MsgHTML('This is my <b>html</b> testing email, sent '.time());
$mail->Send();
You'll need to configure this so that it connects to your email server but it should be working. Phpmailer escapes so far everything I've tried. The only I'm checking is "sendToThis@email.com". I do it with this code:
$email = "sendToThis@email.com";
$email = filter_var(filter_var($email,FILTER_SANITIZE_EMAIL),FILTER_VALIDATE_EMAIL);
if($email){
echo "This email is valid!";
} else {
echo "This email is INVALID!";
}
I hope this helps :)
精彩评论