Hi Guys, Can I possibly get some advice on which variables (ie. headers, subject,admin_email etc) I need to filter / validate for header injection. // these 2 variables have been filtered earlier in the script $users_email = "$email_address"; $users_name = "$first_name $last_name"; $admin_email = "info@mydomain.com"; $subject = "$website_name - New Member"; $website_name = "Your Website Name"; $body="Hello,<br /> A New user has registered on '$website_name' and will need to be validated.<br /><br />"; $body . ="Name: $users_name<br />"; $body . ="Practice Name: $prac_name<br />"; $from="\"$users_name\" <$users_email>"; $headers="Content-Type: text/html; charset=Windows-1252"; $headers.="From: $users_name"; mail($admin_email,$subject,$body,$headers); echo "Thank you for your email, we will be in touch as soon as possible."; PHP:
If $users_name cannot contain carriage returns ("\r","\n") (you state that $first_name, $last_name are filtered) then this script looks ok to me.
thanks for the link but they say nothing about how to filter the headers and or body? I am using this to check the email and subject $validate_subject= "/^\w*$/"; if(!preg_match($validate_subject, $subject)){ echo "Possible header injection attack"; exit; } $validate_email= "/^([a-zA-Z0-9])+([.a-zA-Z0-9_-])*@([a-zA-Z0-9_-])+(.[a-zA-Z0-9_-]+)+/"; if(!preg_match($validate_email, $admin_email)){ echo "Possible header injection attack"; exit; } PHP: