Email header injection is a leading cause of SPAM on the internet and comes from a simple omission when accepting user input from forms. Failure to adequately strip out possible injection characters leaves the headers easy prey to SPAMMERS, and when a spammer uses a form to send tens of thousands of email around the world, it is that domain that will find its way onto black lists.

As an example, a simple contact form may have fields “name”, “from”, “subject” and “message”. Lets look at a simple HTML form

(more…)

Abstract

One of the great benifits of PHP is its ease of access to new-comers. Its entry level is minimal and so attracts those looking for simple scripts to their sites. It is this same ease of access that becomes a problem as the new-comers begin to deal with input from users. Failure to adequately validate and sanitize data is the leading cause of security problems when dealing with PHP. This is, of course, not limitted to new-comers, and seasoned programmers rushing to meet deadlines who take short cuts in a bid to get the job out the door are just as likely to omit basic security principles.

(more…)