Can malicious code be inserted into an email?

Question

I'm writing a disposable email script, which parses incoming emails, strips out some data and inserts it into the DB, then displays the email on a page.

What should I be careful of?

For example, I parse the to email, and make sure it's alpha-numeric only (after stripping my domain name, because I only accept alpha-numeric IDs) but is it safe to insert the sender name (after parsing the From: line) into the DB after using mysqli_real_escape_string() and then htmlentities() when displaying it?

Answer 1

Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

1. using pdo.

   $statement = $pdo->prepare('SELECT * FROM customers WHERE name = :name');
   $statement ->execute(array('name' => $name));
   foreach ($statement as $row) {
       // do something with $row
   }
   

2. using mysqli to prevent the security lapses.

   $statement= $dbConnection->prepare('SELECT * FROM customers WHERE name = ?');
   $statement->bind_param('s', $name);
   $statement->execute();
   $result = $statement->get_result();
   while ($row = $result->fetch_assoc()) {
       // do something with $row
   }
   

3. mysqli insertion of data

Code example for insertion clean data.

$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute(array('column' => $unsafeValue));

Since you ask about insertion here is the method to prevent sql injection by using this method attacker will have no chance for it.

4. Frameworks security.

   A simple way would be to use a PHP framework like CodeIgniter or Laravel which have in-built features like filtering and active-record, so that you don't have to worry about these nuances.

5. A few guidelines.

   For escaping special characters in SQL statements.Don't use MySQL, this extension is deprecated, use MySQLi or PDO.

Answer 2

You should be careful of code injection. Basically what you do for this is:

1) Every item that you are sure is a number, parse it as a number (probably with a try/catch), do not accept any Strings in these fields.

2) Sometimes is a good practice to trim() the String fields. This erases all unnecessary spaces inside your field.

3) Do not insert into mysql the raw way. I don't know what language you are using but there is Mysql Statements in mostly every language. So instead of making a simple insert, you would do something like (Java example):

public static void main(String[] args)
  {
    try
    {
      // create a mysql database connection
      String myDriver = "org.gjt.mm.mysql.Driver";
      String myUrl = "jdbc:mysql://localhost/test";
      Class.forName(myDriver);
      Connection conn = DriverManager.getConnection(myUrl, "root", "");
     
      // create a sql date object so we can use it in our INSERT statement
      Calendar calendar = Calendar.getInstance();
      java.sql.Date startDate = new java.sql.Date(calendar.getTime().getTime());
 
      // the mysql insert statement
      String query = " insert into users (first_name, last_name, date_created, is_admin, num_points)"
        + " values (?, ?, ?, ?, ?)";
 
      // create the mysql insert preparedstatement
      PreparedStatement preparedStmt = conn.prepareStatement(query);
      preparedStmt.setString (1, "Barney");
      preparedStmt.setString (2, "Rubble");
      preparedStmt.setDate   (3, startDate);
      preparedStmt.setBoolean(4, false);
      preparedStmt.setInt    (5, 5000);
 
      // execute the preparedstatement
      preparedStmt.execute();
       
      conn.close();
    }
    catch (Exception e)
    {
      System.err.println("Got an exception!");
      System.err.println(e.getMessage());
    }
  }

Take a look at the example above and check how the prepared statement inserts. This is the most secure way

Cheers!

Hope it helps