[thelist] injection attacks on php contact form

Garth Hagerman hagerman at mcn.org
Tue Nov 29 17:27:13 CST 2005

Hi everybody-
I have a simple contact form, using php and its mail() function, which 
I use on several sites (with modifications for the needs of the 
particular site). Over the past few months, I've been getting 
increasing amounts of gibberish emails from it. After some Googling and 
reading, I have learned that these are injection attacks; bad guys are 
using my contact form for their own nefarious ends. To stop them, I've 
adopted a mutli-pronged attack:
1. A graphic password that only a human user should be able to read.
2. The processing script uses eregi() to look for "\n", "\r", 
"Content-Type:", and "MIME-Version:" in the input data. If any of those 
are found, it doesn't send the email.
3. The processing script checks for a blank user email address or one 
from the site's domain. There has always been a standard Javascript on 
the form which checks for credible email addresses, but the bad guys 
have been getting around that.
4. Limits on the length of subject and user email fields. The body of 
the message can still be as long as necessary.

My questions: does this seem adequate? Are there any known attack 
methods that would be likely to get through these checks? Is it 
overkill? Might some legitimate inquiries be lost through the security 

      Thanks in advance-

More information about the thelist mailing list