-3

I know this type of question is not generally allowed, but I cannot find an answer anywhere.

Is SQL injection protection necessary even if you're not using databases/MySQL?

If I have a basic mail form in PHP that sends things to my email do I need to protect that form?

Devon Bessemer
  • 34,461
  • 9
  • 69
  • 95
user3658885
  • 5
  • 5
  • 1
    Are you asking whether you need to prevent SQL injection if you're not using SQL? – Oliver Charlesworth Apr 12 '15 at 21:45
  • 1
    If a type of question is "generally not allowed" then why ask, knowing it's going to be closed? And how do you expect a SQL injection attack to be possible if there's no SQL database involved? – Matt Ball Apr 12 '15 at 21:45
  • I guess code injection in general? I'm not necessarily sure what can be injected into a basic form going to my email. – user3658885 Apr 12 '15 at 21:46
  • 2
    If you are storing any user input and rendering it back on the screen (e.g. in a file), you still need to watch out for XSS. For a mail form, you need to protect against header injection. – halfer Apr 12 '15 at 21:51
  • Sounds simple enough. It's just going to be a basic contact form asking for a name, phone number, and email, plus some minor details. Nothing major. Shouldn't be too hard to protect then. :) – user3658885 Apr 12 '15 at 21:53

2 Answers2

1

If you're not using a database then no, you don't need to protect against attacks that exploit database queries. Emails have a whole set of exploits of their own and I recommend using a library such as phpmailer or swiftmailer which will help with this. Either way, you should always verify that the data submitted from the form is in the format you expect it to be.

rjdown
  • 9,162
  • 3
  • 32
  • 45
  • Alright thanks. I'll check those out. I just wasn't sure what type of attacks can do what really. – user3658885 Apr 12 '15 at 21:52
  • 1
    As an example, someone could put email header information into the message textbox, which would allow them to email anyone they want from your server. If you don't protect against it, it's going to make some spammers very happy. – rjdown Apr 12 '15 at 21:54
  • So basically just verify that the email is going to is only the ones I want it to go to. Sounds easy using an if statement to compare the values. – user3658885 Apr 12 '15 at 21:56
  • It's not that simple, unfortunately. Have a read of this, there's some basic examples at the bottom http://resources.infosecinstitute.com/email-injection/ there's a lot more to it but it should give you a good idea of what can be done with dodgy data – rjdown Apr 12 '15 at 22:03
0

You need XSS protection for mail forms. You don't want a user being able to inject javascript and such into an email. A simple way to prevent XSS is to use htmlentities() to disallow HTML tags such as <script>..</script> in the user input. htmlentities converts a tag like <script> to &lt;script&gt;

Devon Bessemer
  • 34,461
  • 9
  • 69
  • 95