I have a form on a website where the user types a name into the input field and a message into textarea. This message will be sent to the backend and via php mail() - mailed to a specific recipient from my database. Now I'm not sure what sort of sanitisation I should perform before the message is sent. What's the best practice with plain PHP or something like PHPPurifier?
I googled and googled but all I get is how to sanitise email addresses, nothing about the message content and if it's necessary at all.
EDIT: I'm not familiar with what damage can be possibly done with some sort of malicious email body. Stripping all the HTML seems most obvious but anything else? I just really need line breaks mostly I think. What's the common practice here?
I'm not after sanitizing the email address itself, this will come from database.
if(filter_var($email, FILTER_VALIDATE_EMAIL)){
//all good
}
ref: Validate filters
its not fool proof, but probably good enough for most
Related
I have a form in which I accept name, email and message from a user. I do the validation for name, email and message and just send it using the mail() function.
If I was inputting the $name, $email and $message in a database, I would escape this data for SQL injection; or, if I was echoing it out on a webpage, I would use htmlspecialchars().
What should I do when I am sending this data in a email? I know I don't have to worry about SQL injection, but what about XSS? Should I use htmlspecialchars() on these three variables too?
I send the mail like this:
mail('admin#mywebsite.com', 'Contact From: '. $name, "$message", 'From: '. $email);
I have read about email injection, but I can't understand it.
Please let me know about this.
The escaping entirely depends on the context the data is embedded into.
Are you sending HTML mails? Then you have HTML context, and htmlspecialchars() must be used.
If you are sending plain text mails, there is no escaping for plain text.
The only threat would be that your mail client has some bug that interprets the plain text as something executable and then acts up when you get some strange names and mail adresses.
But this only applies to the mail's content, not the actual headers.
You are using a custom mail header From. Do not use this. From is used in spam filters. If I would enter my mail address, and you are sending this mail with From: my#mail, you are impersonating my own email server. Spam used to use this to hide the real source, and to redirect complaints and error feedback to the unhappy guy behind that mail address. Because of this today there are mechanisms that will prevent such abuse. So just do not pretend I am sending this mail - YOU do.
If you want to be able to answer me with a click on the reply button, use the Reply-to header, but always use From: dont-answer#YOURWEBSITE.example.
Additionally, these custom headers are the entry point for bad things. Make sure you are only adding mail addresses. Make sure you do not add any line feed characters. These would make the mailserver think that there is a new header coming up, and this might lead to mail header injection.
you need to validate the email address to make sure it singular and not multiple addresses to stop email spamming
http://www.php.net/manual/en/filter.filters.validate.php
$email = "email#me.com";
if(!filter_var($email, FILTER_VALIDATE_EMAIL))
{
echo "email not valid"; // do not send
}
else
{
echo "email valid"; // send
}
The problem is simple. If some user can send someone else a email he could use HTML or JavaScript wich is interpreted in most Email-Clients and every webmail interface to rewrite the contents. He could insert a iFrame loading another site or injecting a PopUp Script.
Its most important to sanitize the input the way you would sanitize it for a Browser.
I understand about mysql_real_escape_string and such, But what about when i am just sending an email?
So I have form, and a textbox, is there any vulnerabilities in just directly emailing the $_POST data to a user? I guess they wouldnt be able to execute any PHP.. or can they if they run it from a web address? I am not sure.
If it is being sent directly to an email then it will be fine. If it is being stored in a database to be displayed on an administrator page such as a helpdesk, etc. then it will need to be escaped for both html output and mysql. You can escape mysql using a number of functions:
If using PDO then use prepare statement :
http://php.net/manual/en/pdo.prepare.php
Otherwise I would use :
http://php.net/manual/en/mysqli.real-escape-string.php
That said because Emails can contain HTML, if you don't want to receive emails that people have put bogus HTML in such as <blink> (Which is really annoying) then you can use htmlspecialchars() : http://php.net/manual/en/function.htmlspecialchars.php
If you are worried about Javascript in emails then using htmlspecialchars() noted above will escape this also.
The problem is don't trust a user input. The biggest problem is, when you set the Email adress or BCC from your POST variable. That any email address can be set over the Request.
But its possible to send links or something else to user over your form. For this you should implement a captcha. That a bot cannot send your form with defined values to anyone.
A last solution is a hidden text field in your form. You can hide them with CSS. When the field is not empty you know that a bot has filled them.
But i think its good when you escape your POST vars with htmlspecialchars()
So there are a lot of possibilities to secure a form. You should use not only one of them and trust the user.
what are the security issues about mail.body? i want to know when i want to send an email with a form using php, except the email address that we have to validate that, is there any other security issue about sending emails?
for example, which characters can't be used in the body? what about the header or subject? is there any problem with using new line in the body? is a black list applicable here? also, is it possible that with using some tags like <script> in the body, sending email be failed?
all papers that i have read, only say about validating email address and not more!
im researching about security and i want to know all issues about email security in PHP.
Plain text is basically safe. HTML or (shudder) Flash or PDF has the inherent security problems of those formats. In theory, all mail should be 7bit, but MIME changed that so that internaltional information can be handled. The Wikipedia MIME article is probably a good place to start. http://en.wikipedia.org/wiki/MIME
What's a method to sanitize PHP POST data for passing to a mail function? (I prefer a method that's not part of the mysql_function() family of functions.)
I take the data, sanitize it, print it back to the user and send it in an email to a preset address.
EDIT:
I'm just sending the email to our email address so we can send out a mailing to the address in the email.
Have you looked at the filter functions
e.g http://www.php.net/manual/en/function.filter-var.php
Since you're printing it back to the user, you need to escape any HTML content.
strip_tags()
and
html_special_chars() are quite useful in filtering the message content, especially if you're using html messages.
See also:
How to sanitze user input in PHP before mailing?
which mentions doing a find & replace on newlines that could allow injecting content into the mail headers.
As you're using a pre-set mail address the risk is reduced, but the subject field is still vulnerable.
Sanitizing for an e-mail would be equivalent to sanitizing for HTML output. I see some suggestions on SO for HTML Purifier.
I'm creating a feedback webpage. I want to just take a textarea of user input and ship it off to myself with the mail function. Is it safe to do the following:
mail("me#blah.com", "Feedback!", $_POST['feedback'], "From: myself#blah.com");
/* (to) (subject) (message) (headers) */
Or do I need to somehow escape or sanitize $_POST['feedback']?
Yes, you should sanitize it as a general practice, but there's not too much that can go wrong here, just make sure that in the headers you specify:
Content-Type: text/plain
Then no user can send anything "malicious" for you to click on, perform some sort of tracking, etc. (EDIT: without you knowing what it is, of course; what I mean is, no misleading links, 1x1 transparent GIFs or the like)
As stilstanding said - you still need to sanitize any user-supplied data.
I would also recommend using a script like PHPMailer to create and send email messages. This will take care of formatting the message securely and makes tasks like sending multipart html/text messages much easier:
http://sourceforge.net/projects/phpmailer/
Depends on who is receiving the message. E.g. if it's GMail, they have their fair arsenal of escaping anything there, and anyone will have a really hard time injecting anything into it. But say, if someone is going to look at the message from some webmail, and if that webmail is of an outdated version, someone with a bad intention might be able to do something bad.
If you are not going to check for <script> tags and such, you have to do no escaping. But you'd better encode your email in quoted-printable, for deliverability rather than security, a task which is best done by a good mail class/function like Zend_Mail. And you can use it stand-alone (i.e. without the other library components).
"Sanitize" is a kind of vague term. There are different types of encoding for different purposes.
If you're sending plain-text messages, I don't think you need to worry about encoding them. PHP's mail function should take care of any encoding needed.
If you're sending HTML messages, then you do need to HTML-encode all HTML attributes and content, regardless of whether the values come from the user or not.