Prevention against email injections

Prevention against email injections

Posted in : PHP Posted on : January 10, 2011 at 5:45 PM Comments : [ 0 ]

This section contains the detail about Prevention against email injections in PHP.

Prevention against email injections

First you need to know what is email injection.

Email injection is the a security vulnerability that can occur in Internet applications that are used to send e-mail messages.

This email injection sends unwanted emails to different addresses.

The code given in previous tutorial(click here) has a serious security threat. It has email injection problem. If you insert data into the mail headers via the input form as given below :,,, 

After form submission., it will add to the mail headers and as a result header has an extra Cc:, Bcc:, and To: field. Due to this, the mail will be sent to all the mail address above.

How it can be prevent from email injections

The most efficient way to stop email injection is to validate the email input field.

Use the following function to prevent email injection :

function spamcheck($field)
  //filter_var() sanitizes the e-mail
  //address using FILTER_SANITIZE_EMAIL
  $field=filter_var($field, FILTER_SANITIZE_EMAIL);

  //filter_var() validates the e-mail
  //address using FILTER_VALIDATE_EMAIL
  if(filter_var($field, FILTER_VALIDATE_EMAIL))
    return TRUE;
    return FALSE;

Use it as follows :

if (isset($_REQUEST['email']))
  {//if "email" is filled out, proceed

  //check if the email address is invalid
  $mailcheck = spamcheck($_REQUEST['email']);
  if ($mailcheck==FALSE)
    echo "Invalid input";
    //send email

In the above code, we use two PHP filters to validate input :

1. FILTER_SANITIZE_EMAIL : removes all illegal e-mail characters from a string.

2. FILTER_VALIDATE_EMAIL : validates value as an e-mail address.

Go to Topic «PreviousHomeNext»

Your Comment:

Your Name (*) :
Your Email :
Subject (*):
Your Comment (*):
  Reload Image

Tutorial Topics