Making $_POST data safe to email

Question

I understand about mysql_real_escape_string and such, But what about when i am just sending an email?

So I have form, and a textbox, is there any vulnerabilities in just directly emailing the $_POST data to a user? I guess they wouldnt be able to execute any PHP.. or can they if they run it from a web address? I am not sure.

Answer 1

The problem is don't trust a user input. The biggest problem is, when you set the Email adress or BCC from your POST variable. That any email address can be set over the Request.

But its possible to send links or something else to user over your form. For this you should implement a captcha. That a bot cannot send your form with defined values to anyone.

A last solution is a hidden text field in your form. You can hide them with CSS. When the field is not empty you know that a bot has filled them.

But i think its good when you escape your POST vars with htmlspecialchars()

So there are a lot of possibilities to secure a form. You should use not only one of them and trust the user.

Answer 2

If it is being sent directly to an email then it will be fine. If it is being stored in a database to be displayed on an administrator page such as a helpdesk, etc. then it will need to be escaped for both html output and mysql. You can escape mysql using a number of functions:

• If using PDO then use prepare statement : http://php.net/manual/en/pdo.prepare.php
• Otherwise I would use : http://php.net/manual/en/mysqli.real-escape-string.php

That said because Emails can contain HTML, if you don't want to receive emails that people have put bogus HTML in such as <blink> (Which is really annoying) then you can use htmlspecialchars() : http://php.net/manual/en/function.htmlspecialchars.php

If you are worried about Javascript in emails then using htmlspecialchars() noted above will escape this also.