I've been an innocent victim of en email injection executed through one of my forms which posts data to a MySQL database.

I am looking for a simple solution (antidote) to prevent this from happening again. I've done some research and so far everything seems to focus on is, simply not allowing any carriage returns or new line characters (\r\n) or the phrase “Content-Type:” to be entered into any of the webform fields.

Some other posts reffer to filter user data, using regular expressions or string functions like str_replace but this seems to only apply to arrays.

I am not an experience programmer so any help will be totally appreciated. Thanks!

Here's my script:

// Receiving variables
@$pfw_ip= $_SERVER['REMOTE_ADDR'];
@$name = addslashes($_POST['name']);
@$title = addslashes($_POST['title']);
@$department = addslashes($_POST['department']);
@$phone = addslashes($_POST['phone']);
@$email = addslashes($_POST['email']);
@$type = addslashes($_POST['type']);
@$organization = addslashes($_POST['organization']);
@$address = addslashes($_POST['address']);
@$city = addslashes($_POST['city']);
@$state = addslashes($_POST['state']);
@$zip = addslashes($_POST['zip']);
@$comments = addslashes($_POST['comments']);
@$howdiduhear = addslashes($_POST['howdiduhear']);
$date = date("l, F j, Y, g:i a");

// Validation
if (! ereg('[A-Za-z0-9_-]+\@[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+', $email))
{
header("Location: nope.php");
exit;
}

if (strlen($email) == 0 )
{
header("Location: nope.php");
exit;
}

//Sending Email to form owner
$pfw_header = "From: $email\n"
. "Reply-To: $email\n";
$pfw_subject = "#*$! Request Product Information Form";
$pfw_email_to = "sales@#*$!.com, myemail@#*$!.com";
$pfw_message = "$date [CST]\n
This email has been automatically generated due to a submission via the referral form\n
Visitor's IP: $pfw_ip\n"
. "Name: $name\n"
. "Title: $title\n"
. "Department: $department\n"
. "Phone: $phone\n"
. "Email: $email\n"
. "Type: $type\n"
. "Organization: $organization\n"
. "Address: $address\n"
. "City: $city\n"
. "State: $state\n"
. "Zip: $zip\n"
. "Comments: $comments\n"
. "How did you hear about Us?: $howdiduhear\n";
@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;

//Sending auto respond Email to visitor
$pfw_header = "From: sales@#*$!.com\n"
. "Reply-To: sale@#*$!.com\n";
$pfw_subject = "Thank you for submitting your request.";
$pfw_email_to = "$email";
$pfw_message = "Dear $name\n"
. "\n"
."Thank you for your interest. A representative will be in contact with you within one business day.";
@mail($pfw_email_to, $pfw_subject ,$pfw_message ,$pfw_header ) ;

//saving record to MySQL database
@$pfw_strQuery = "INSERT INTO `request`(`name`,`title`,`department`,`phone`,`email`,`date`,`type`, `organization`,`address`,`city`,`state`,`zip`,`comments`,`howdiduhear`)VALUES (\"$name\",\"$title\",\"$department\",\"$phone\",\"$email\",Now(),\"$type\", \"$organization\",\"$address\",\"$city\",\"$state\",\"$zip\",\"$comments\", \"$howdiduhear\")" ;
@$pfw_host = "localhost";
@$pfw_user = "user";
@$pfw_pw = "password";
@$pfw_db = "#*$!";
$pfw_link = mysql_connect($pfw_host, $pfw_user, $pfw_pw);
if (!$pfw_link) {
die('Could not connect: ' . mysql_error());
}
$pfw_db_selected = mysql_select_db($pfw_db, $pfw_link);
if (!$pfw_db_selected) {
die ('Can not use $pfw_db : ' . mysql_error());
}

//insert new record
$pfw_result = mysql_query($pfw_strQuery);
if (!$pfw_result) {
die('Invalid query: ' . mysql_error());
}
mysql_close($pfw_link);
header("Location: confirmation.php");
?>

[edited by: dreamcatcher at 8:51 pm (utc) on May 5, 2007]
[edit reason] Fixed side scroll. [/edit]