What's a method to sanitize PHP POST data for passing to a mail function? (I prefer a method that's not part of the mysql_function() family of functions.)
I take the data, sanitize it, print it back to the user and send it in an email to a preset address.
EDIT:
I'm just sending the email to our email address so we can send out a mailing to the address in the email.
Have you looked at the filter functions
e.g http://www.php.net/manual/en/function.filter-var.php
Since you're printing it back to the user, you need to escape any HTML content.
strip_tags()
and
html_special_chars() are quite useful in filtering the message content, especially if you're using html messages.
See also:
How to sanitze user input in PHP before mailing?
which mentions doing a find & replace on newlines that could allow injecting content into the mail headers.
As you're using a pre-set mail address the risk is reduced, but the subject field is still vulnerable.
Sanitizing for an e-mail would be equivalent to sanitizing for HTML output. I see some suggestions on SO for HTML Purifier.
Related
I created a php form that uses strip_tags to send mail to the client. The form is not connected to any database.
What are the potential risks of malicious use?
The function strip_tags is used to filter out tags that might otherwise render something on the screen.
So it prevents the use of images, iframes, tables, layout.
This is probably not what you want.
You can however add a second parameter to the function with a list of tags that are allowed so you can still keep the tags you need.
I don't think this is really handy if only you send the emails. If people using your website have the ability to send emails then it might be of help
I have a form on a website where the user types a name into the input field and a message into textarea. This message will be sent to the backend and via php mail() - mailed to a specific recipient from my database. Now I'm not sure what sort of sanitisation I should perform before the message is sent. What's the best practice with plain PHP or something like PHPPurifier?
I googled and googled but all I get is how to sanitise email addresses, nothing about the message content and if it's necessary at all.
EDIT: I'm not familiar with what damage can be possibly done with some sort of malicious email body. Stripping all the HTML seems most obvious but anything else? I just really need line breaks mostly I think. What's the common practice here?
I'm not after sanitizing the email address itself, this will come from database.
if(filter_var($email, FILTER_VALIDATE_EMAIL)){
//all good
}
ref: Validate filters
its not fool proof, but probably good enough for most
I understand about mysql_real_escape_string and such, But what about when i am just sending an email?
So I have form, and a textbox, is there any vulnerabilities in just directly emailing the $_POST data to a user? I guess they wouldnt be able to execute any PHP.. or can they if they run it from a web address? I am not sure.
If it is being sent directly to an email then it will be fine. If it is being stored in a database to be displayed on an administrator page such as a helpdesk, etc. then it will need to be escaped for both html output and mysql. You can escape mysql using a number of functions:
If using PDO then use prepare statement :
http://php.net/manual/en/pdo.prepare.php
Otherwise I would use :
http://php.net/manual/en/mysqli.real-escape-string.php
That said because Emails can contain HTML, if you don't want to receive emails that people have put bogus HTML in such as <blink> (Which is really annoying) then you can use htmlspecialchars() : http://php.net/manual/en/function.htmlspecialchars.php
If you are worried about Javascript in emails then using htmlspecialchars() noted above will escape this also.
The problem is don't trust a user input. The biggest problem is, when you set the Email adress or BCC from your POST variable. That any email address can be set over the Request.
But its possible to send links or something else to user over your form. For this you should implement a captcha. That a bot cannot send your form with defined values to anyone.
A last solution is a hidden text field in your form. You can hide them with CSS. When the field is not empty you know that a bot has filled them.
But i think its good when you escape your POST vars with htmlspecialchars()
So there are a lot of possibilities to secure a form. You should use not only one of them and trust the user.
I am trying to create a PHP page for users to send emails to other users in HTML.
On my page (email.php) there is a textarea for user to input their message.
Since I send the email from my server I don't want the user to write malicious code/message content (html, links, php, bad words etc) that will result in my servers email IP getting banned as spam.
I know I can validate by using functions like str_replace() htmlentities() strip_tags() etc
How can I stop the user from entering tags, links etc in textarea so the email is clean when sent. Is there some function to just filter the whole message string if it matches an email body format or a way to convert the message string to just clear text so any malicious links/tags will just show to the user as a href='/link'>malicious link not 'malicous link' and instead of html tags running they just show as the tag itself?
Like gumtree for instance when you send email you get form with textarea for message
thanks for any suggestions
Could you clarify a bit?
From what you've described, strip_tags() then htmlentities() seems sufficient, unless I misunderstand what you are asking. Both functions are not for validation, but filtering.
strip_tags() removes PHP and HTML tags, and htmlentities() will ensure applicable characters are converted to their HTML entity equivalents.
I'd recommend a third-party library like HTML Purifier that uses a white-list approach.
You cannot stop users to insert html tags, not even with javascript. Since almost all browsers have development tools and any html element from any website can be altered after the page is loaded.
You can develop an javascript validation just for eye view, but php validation is a MUST since you cannot limit an user.
Even headers can be modified ... so you need those php filters, as you mentioned above.
My PHP scripts recieves information (from a user submitted form) and sends it (almost) straight away as an email. What kind of sainitization should I do on the data?
I want to know exactly which PHP function to use to sanitize the data.
You need to read up on email injection. Take a look here:
http://www.damonkohler.com/2008/12/email-injection.html
Have a look at PHP Data Filtering. There are a lots of built in php functions which can be used for data validation and sanitization.
You'll want to:
validate the email address
sanitize (or not) HTML tags to avoid XSS attacks
sanitize the e-mail contents to avoid e-mail header injections