E-mail Injection

E-mail injection is caused when form fields entered by hackers who add unexpected lines of text to the from and/or subject lines of your form.

For instance, many web sites add a contact us page to their web site to allow a web visitor an opportunity to send comments and suggestions. Usually these forms ask the user for a subject and an E-mail address. The risk of injection occurs when these fields are placed into the headers of the E-mail sent from the script to the E-mail address assigned to the contact submission.

The injection works when the hacker adds extra lines to the field before sending it to your script. IF your script does not check the E-mail address entered then the injection will find its way to the PHP mail() function. Then the rest is history.

The PHP mail() function takes multi lines in the to field and may treat them as additional lines for the headers of the E-mail message.

Click here http://securephp.damonkohler.com/index.php/Email_Injectionfor some better detailed examples of E-mail injections.

You can prevent E-mail injections in a number of ways. The easiest is to only place data that is submitted by the user in the message body of the E-mail. If you want your script to automatically generate a response message to the user, then you will need to verify the E-mail address entered is valid and does not contain additional lines of information.

Click here http://www.bl0g.co.uk/?d=060214 for an alternative method for protecting your script from E-mail injections.

CW1 – March 16, 2006

Welcome to the first podcast of Compiled Weekly. Today’s podcast I introduce myself, promote the PodcasterNews.com podcast network, review the open source Ravencore web control panel, recommend the SciTE text editor, and cover Cross Site Scripting XSS and how to prevent it.


Creating PDF reports with PHP

If you have found yourself developing a web site that requires printable reports, then you will love this blog entry.

A year ago I created a PDF reporting system that used the HTMLtoPDF library from RustyParts.com (http://www.rustyparts.com/pdf.php) This is a great HTMLtoPDF converter. It utilizes Ghostscript and a few other nifty Perl scripts to generate the PDFs. The only drawback to this package is it requires a few things to be installed on your server.

Today I came across a new HTMLtoPDF php library on Source Forge (http://html2fpdf.sourceforge.net/). This may be another alternative if you are in need of a report writing library but cannot install or modify the required software for the RustyParts HTMLtoPDF php library.