My PHP scripts recieves information (from a user submitted form) and sends it (almost) straight away as an email. What kind of sainitization should I do on the data?
I want to know exactly which PHP function to use to sanitize the data.
4
-
2htmlentities will be agood place to start, also consider using striptags, to only allow harmless tagsIbu– Ibu2011-06-11 19:39:48 +00:00Commented Jun 11, 2011 at 19:39
-
A few quick questions on this one, what is the data source? What charset is the data being received encoded in? What charset do you send the email in?Ryan– Ryan2011-06-11 19:42:08 +00:00Commented Jun 11, 2011 at 19:42
-
A form is being submitted by a user not sure what charset (How can I find out?)Chaim– Chaim2011-06-11 19:43:58 +00:00Commented Jun 11, 2011 at 19:43
-
@Ibu why? Both is completely unnecessary for E-Mail (from a security perspective at least).Pekka– Pekka2011-06-11 19:53:57 +00:00Commented Jun 11, 2011 at 19:53
Add a comment
|
3 Answers
You need to read up on email injection. Take a look here:
1 Comment
datasage
It would probably save you some time.
Have a look at PHP Data Filtering. There are a lots of built in php functions which can be used for data validation and sanitization.
4 Comments
Chaim
Okay that's good for making sure the email address is valid and that kind of stuff. But how is it going to protect me from, the above mentioned, email injection?
bitfox
The links suggested by datasage and Alix are useful. I replied to your question: "I want to know exactly which PHP function to use to sanitize the data."
Chaim
Can you give me an example of, say, validating
$message (which contains the users message) to make sure that there is no email injections. (Perhaps it's a matter of just showing me exactly which method of filter_var() to use?)bitfox
The message contains text. So, you could try to use filter_var($message, FILTER_SANITIZE_STRING) and check the output. I suggest you to read the links in order to understand what are the possible vulnerabilities and check them.
You'll want to:
- validate the email address
- sanitize (or not) HTML tags to avoid XSS attacks
- sanitize the e-mail contents to avoid e-mail header injections
