CODEWITHSUNDEEP
phpmysqlsqlsql-injection
Liam
Liam

Reputation: 9855

PHP Mail sanitisation techniques

Im working on building my first contact form.

I have a page similar to this with a lot of fields... http://www.missingpeople.org.uk/component/option,com_rsform/Itemid,144/lang,en/view,rsform/

The form, when submitted then redirects to my process page that contains...

<?php

foreach ($_POST as $key => $value)
$message .= "Field ".htmlspecialchars($key)." is ".htmlspecialchars($value)."\r\n";

mail('[email protected]', 'sghting', $message); 

?>

From what I've been reading on the process though this seems vulnerable to injections? sorry if this sounds naive im new to the process. What Im asking is where do i start in reading up on sanitizing this code?

Upvotes: 0

Views: 88

Answers (2)

troelskn
troelskn

Reputation: 117507

It might be vulnerable - just not to sql injections. mail is a pretty raw interface, that just passes stuff on to the mail delivery system. It is trivial to inject mail headers into the message, if you don't escape properly. This way, an attacker could use your mail form for spam or for spoofing the sender and possibly other things that you wouldn't want to happen.

Instead of trying to do this yourself, I would strongly advise you to use a library such as Swift mailer, which takes care of all this for you.

http://swiftmailer.org/

Upvotes: 1

doublesharp
doublesharp

Reputation: 27607

It would be dangerous if it was a SQL query as you could easily insert some single quotes and semicolons to run your own code, but this isn't as much the case with sending a mail. If you later saved that email to the database, then it could be vulnerable to a SQL injection.

You could run this value through htmlentities() to HTML encode the content, which should be fine for email and would remove most of the special characters.

Upvotes: 0

Related Questions