Avoiding email header injection

Barely a week goes by without someone asking for help with a PHP mail() script that uses one of the most insecure techniques—inserting unfiltered user input into the headers argument. It exposes your server to email header injection, an exploit that can turn your website into a spam relay. This exploit has been known for many years, and I warn about it in all the books I’ve written on PHP. But beginners still blithely ignore the dangers.

The problem is that the fourth argument to the mail() function lets you specify custom headers. So, it’s become almost routine to create a From header with the user-submitted email address. There are two things wrong with this:

  • The From header is meant to indicate where the email originated from. When you use the mail() function, it’s your website that originates the message, not the person submitting the form. If you want to use the submitted address, it should go in a Reply-to header.
  • You should never trust user-submitted input without checking its validity. Email header injection relies on unfiltered data being passed as the fourth argument to mail().

What happens is that the attacker uses the email input field to inject Cc and Bcc headers plus a replacement message body. Avoiding this problem is simple. All that’s necessary is to check the validity of any values that are added to the headers. I’ve created a simple tutorial explaining how to do it—and keep safe.

This entry was posted in Books, PHP. Bookmark the permalink.

4 Responses to Avoiding email header injection

  1. Sunday says:

    Dear David,
    I really like the way you help us web developer solve some issue.
    Sir, I will like you writing PhP book for E-commerce site for us; because the way your explanation is always superp

  2. pat hamer says:

    I’m taking your dw cc “my first website” course at adobe re: Bayside Beats lesson.

    In the tutorial lesson 3 http://www.adobe.com/devnet/dreamweaver/articles/first_website_pt3.html

    the “Figure 1…inter alia” graphic examples do not load or are non existing. Is there an alternate site with them? It sure helps. I did not find any other forum under that topic, so I’m hoping I get an answer here.

  3. David Powers says:

    Hi Pat,

    Yes, I created that tutorial on the Adobe site. I’ve just checked the page you refer to, and all the figures display correctly for me here in the UK. However, I know there have been problems in the past with images not loading correctly in certain parts of the world. Adobe uses a content distribution network, and links sometimes break. I presume you’re in California. I’ll ask my contacts in Adobe to check the site.

  4. Michel Kimpele says:


    This is a mail I wish Mr David Powers will read!
    I know nothing about Dreamweaver, HTML or whatever they are called and mean, but I’m really willing to learn. My question is the following; where should I start? Which book should I buy to begin with (there are so many books …)?
    Many thanks!