0

What's a method to sanitize PHP POST data for passing to a mail function? (I prefer a method that's not part of the mysql_function() family of functions.)

I take the data, sanitize it, print it back to the user and send it in an email to a preset address.

EDIT: I'm just sending the email to our email address so we can send out a mailing to the address in the email.

Improve this question
7
  • 1
    That depends on what the mail function is doing with the data. Commented Dec 3, 2010 at 20:41
  • @IshKumar, Not a dupe, I don't want to use a library. Commented Dec 3, 2010 at 20:47
  • @cdhowie - I want to send the email to an address! That's all. Commented Dec 3, 2010 at 20:49
  • 1
    Don't sanitize input, sanitize output. Commented Dec 3, 2010 at 20:56
  • 1
    @Moshe The input code doesn't know what kind of sanitization the sink function needs. There are so many ways to escape/sanitize data(html, sql, file-path,...) and the input layer of the code doesn't know which one to apply. Commented Dec 5, 2010 at 9:38

3 Answers 3

Reset to default
1

Have you looked at the filter functions e.g http://www.php.net/manual/en/function.filter-var.php

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Since you're printing it back to the user, you need to escape any HTML content.

strip_tags() and html_special_chars() are quite useful in filtering the message content, especially if you're using html messages.

See also:
How to sanitze user input in PHP before mailing?
which mentions doing a find & replace on newlines that could allow injecting content into the mail headers.
As you're using a pre-set mail address the risk is reduced, but the subject field is still vulnerable.

Improve this answer

3 Comments

There's no good reason to escape HTML in an email.. especially if it's a plaintext email.
@ThiefMaster, But what about sanitizing for the handling of the data before I send the email?
Certainly, but we don't know what he's doing with the email. Covering all the bases, even if you only expect text emails at the start, is a good tactic.
0

Sanitizing for an e-mail would be equivalent to sanitizing for HTML output. I see some suggestions on SO for HTML Purifier.

Improve this answer

4 Comments

Why would you escape HTML in a plaintext email? I think he wants to protect against header injection.
@ThiefMaster Who said anything about plain text? Most of the emails are HTML nowadays so they should be checked for HTML injection. I don't think he referred to header injection. Why would he print the headers back to the user?
Most emails are HTML? Not really.. luckily. HTML emails are a pest.
@ThiefMaster I don't know what mails you receive or send but what I use and work with is HTML.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.