Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Header Injection Prevention

Do I need to test for upper case of to: cc: etc?

8:17 pm on Jul 15, 2008 (gmt 0)

10+ Year Member

I am tightening up my form security because a spammer has been hammering my site. Only a couple of goobledegook messages have slid by but the resource consumption irks me.

I test for header injection data by looking in name and particularly email fields for signs of header injection e.g. to: or cc: also attempts to upload a file e.g. MIME-Version:

My question.
Do I need to test for all upper and/or all lower case versions of the above?

I guess the real question is, in the absence of other tests would, e.g. MIME-VERSION: or mime-version: succeed in uploading a file?

I guess that I can test just to be sure but I don't want to bother if it is not an issue.

Even though my regex edit prevents this stuff from getting through, I test for the attempts and then ban the IP's attempting this in my .htaccess file.


10:23 pm on Jul 15, 2008 (gmt 0)

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

You can limit the amount of data by using substr [php.net]

For cleaning the fields you could do something like:

$find = array(

$replace = array();

$name = str_replace($find,$replace,$name);
$email = str_replace($find,$replace,$email);


10:58 pm on Jul 15, 2008 (gmt 0)

10+ Year Member

Yes, I know how to do it - I just want to know if I have to check for the capitalized versions of the strings.

According to your example, it appears that I do.

So I will just specify something like:

$find = array(
and my test will be a variant of

if( $count = substr_count(strtoupper($_POST[ $field ]), strtoupper($badchr ) ){. . . do something . . .}

because this catches cc:, cC:, Cc: and CC:

(I don't bother with bcc: because cc: takes care of it.)

Thanks for responding

4:20 am on Jul 16, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Good point about not needing bcc:.

A more elegant option, which should be slightly more resource efficient, would be to use PHP 5's str_ireplace. After all 6 is going to be out before too long, it's time to stop avoiding 5 :-)

Something else you might consider doing, in order to stop the spammer from consuming more resources, would be log all IPs which fail your header test and temporarily block them. If not in .htaccess then early in the script before it has outputted anything or executed any major code. Chances are he repeats his proxy list at some point.

6:10 am on Jul 16, 2008 (gmt 0)

10+ Year Member

Yes, I am trying to catch them early in the script.

I only use PHP 5 didn't learn PHP 4.

I would use str_ireplace but I'm not replacing. I don't particularly like if(stripos($x) !== false) but I suppose it would be nicer here than strtoupper !

6:20 am on Jul 16, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member

While you can look for specific headers within the text to prevent from header injection and then throw up flags when they are found, there is another, simple method. What I like to do is to replace all newline (\n) and carriage return (\r) characters with spaces to eliminate the possibility that multiple headers will be injected. This should be done for ALL mail inputs, too, including the subject. So something as simple as a str_replace:

$bad = array("\r", "\n");
$subject = str_replace($bad, ' ', $subject);
# etc...

It would also be a good idea that someone recieves a copy of the emails sent out from your server just to keep tabs on it for awhile. You wouldn't want anything going on without your knowledge. This will also allow you to see attemps at cracking your emailing script.

6:55 am on Jul 16, 2008 (gmt 0)

10+ Year Member

My script is pretty thoroughly tested by now - I am just adding things to catch the folks trying to crack it so that I can ban them in my .htaccess file.

I use regex edits that are very effective. No '\r or \n or %0a etc. will get through the edits - ALL input fields (except the message) have these regex edits. I don't allow tags or links in the message either.

But even though I'm pretty confident, I don't want these folks hammering away at it, wasting my resources and perhaps finding a weakness I hadn't thought of.

So now, I'm adding specific detectors and depending on what I detect, I am immediately adding the ip address to a local ban list - and from there I will move the worst offenders to be denied in .htaccess.

For one of my sites, I have considered banning certain country blocks but according to spamhaus, a LOT of spam originates in the US, much of it likely from compromised machines, so the country blocking just reduces the volume but doesn't fix the problem.

Really appreciate the help and replies here.


Featured Threads

Hot Threads This Week

Hot Threads This Month