Email injection with PHP
Posted on September 27, 2005, under Web Dev/Tech.
SecurePHP has a very well written article on how to manipulate a PHP form with e-mail injection. The article goes step-by-step and builds up to how show a malicious user could send spam or worse through your form. If you use PHP to send e-mails, you should read this article.
Update: I just tested the outlined injections on a form I wrote that uses PEAR’s Mail package, and it appears that most of the injections fail.
In specific, as part of the validation routine, I check to see if the e-mail address is valid using the parseAddressList() method. However, that could still allow multiple recipients, and I will probably look at changing the validation to use isValidInetAddress().
