2

I've been having a look through a few posts to see ways of protecting against various forms of 'injection' attack.

What's the best method for sanitizing user input with PHP? is an AWESOME post, and very helpful for databases, however one thing I'd like to do is defend against my mail server being used by someone 'registering' and using a string of comma delimited email addressees to spam people. This is a topic that didn't seem to see is addressed often.

Yes, Captcha (or equivalent) is in place, this is more for the nasty user who cuts and pastes into the email field a long list of comma separated values.

I was hoping that exploding and then only taking the zero element in the array would be the best way to throw way the rest, however if any one has other ideas, or approaches, then very happy to read them.

$emails_passed = explode(",", $_POST['email_field']); // could also use $_GET
$email_to = $emails_passed[0];
Community
  • 1
  • 1
btg_1967
  • 79
  • 1
  • 13
  • html5 includes a field email which handles it for you as well. http://www.w3schools.com/html/html5_form_input_types.asp – DevZer0 Jul 06 '13 at 11:33
  • Thanks @DevZer0 I wasn't clear - sorry about that. I like the HTML5 option and have been HTML5'ing my pages, however sadly not every browser (yet) handles it well - I can't wait though. – btg_1967 Jul 06 '13 at 12:45

1 Answers1

3

Well yes you could but it is not wise to do. Simple check if a valid email is given, see php validation, first example for some basic email validation. A valid email doesn't contain a comma.

So if it has a comma it isn't valid so you should say to the user, please give a valid email. Think that solves the problem in a beter way then using explode

The above story only counts when you allow single emails (foo@bar.com) like Gumbo pointed out in the comments the specs allow a comma in the email.

Because your question was about to prevent people to give multiple emails so you "spam" them. I still recommend validating the email and check.

Hope the extra info, thanks to Gumbo helps

Community
  • 1
  • 1
MKroeders
  • 7,562
  • 4
  • 24
  • 39
  • Sanitizing is the act of repairing an invalid user input. This should only ever happen if the user cannot be asked. If the user can be asked because he just submitted a form and is waiting for the acceptance confirmation, confront him with the list of errors and do not accept the form. – Sven Jul 06 '13 at 11:43
  • 2
    -1 You’re wrong: `"foo,bar"@example.com` is a valid e-mail address. – Gumbo Jul 06 '13 at 16:52
  • As I am understanding that is not a valid email, but a combination of emails (foo@example.com and bar@example.com). Also in the case of the question the explode would not work. – MKroeders Jul 06 '13 at 19:40
  • 3
    @Hendriq It actually is valid: If you look at the [address specification in RFC 5322](http://tools.ietf.org/html/rfc5322#section-3.4), the *local-part* in *addr-spec* can be [*quoted-string*](http://tools.ietf.org/html/rfc5322#section-3.2.4). However, those addresses are rarely allowed for real world addresses. – Gumbo Jul 06 '13 at 22:57
  • @gumbo, did not know that info and alterd the text. So you see we will every day something new – MKroeders Jul 06 '13 at 23:28
  • Goodness, I did not know that either, and in that case, I guess the explode 'will work' as I'm trying to restrict down to a singular address, so using the comma will fail the address as in @Gumbo because $emails_passed[0] will equal "foo" which is not a valid email address, so a better test might be a combination of all approaches - and include in the use of filter_var? I'll knock up a function and post as an answer shortly to see what folks think. – btg_1967 Jul 07 '13 at 13:33
  • I am not sure but I think the filter var function won't allow comma's. Because what gumbo said is a "combined" email. But the best way is to test it – MKroeders Jul 07 '13 at 14:44