Question on E-mail Form Field Security

[webref.eu]

Hi Guys

 

I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail.  For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks. 

 

When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail.  My question is, do you think this is a security weakness? 

 

Many thanks

 

//http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/
//preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive
function containsInjectionAttempt($input) {
if (preg_match("/\r/i", $input) ||
preg_match("/\n/i", $input) ||
preg_match("/%0a/i", $input) ||
preg_match("/%0d/i", $input) ||
preg_match("/Content-Type:/i", $input) ||
preg_match("/<script>/i", $input) ||
preg_match("/bcc:/i", $input) ||
preg_match("/to:/i", $input) ||
preg_match("/cc:/i", $input)) {
return true;
} else {
return false;
}
} 

[requinix]

How about the rest of the code? Like the stuff that actually uses the values from the form.

[webref.eu]

Thanks for the reply.  Regarding the rest of the code, I was trying to just pick out the relevant bits to save people time. 

 

What I've decided to do now is just add the e-mail validation given in the "PHP Stopping E-mail Injections" section on the following page: 

 

http://www.w3schools.com/php/php_secure_mail.asp

 

This seems like reasonable code and I hope that it will be enough. 

 

Rgds