PHP input sanitizer function?

Question

What's a method to sanitize PHP POST data for passing to a mail function? (I prefer a method that's not part of the mysql_function() family of functions.)

I take the data, sanitize it, print it back to the user and send it in an email to a preset address.

EDIT: I'm just sending the email to our email address so we can send out a mailing to the address in the email.

That depends on what the mail function is doing with the data. — cdhowie, Dec 03 '10 at 20:41
@cdhowie - I want to send the email to an address! That's all. — Moshe, Dec 03 '10 at 20:49
@CodeInChaos, no. to prevent code injection, we sanitize input. — Moshe, Dec 05 '10 at 07:41
@Moshe The input code doesn't know what kind of sanitization the sink function needs. There are so many ways to escape/sanitize data(html, sql, file-path,...) and the input layer of the code doesn't know which one to apply. — CodesInChaos, Dec 05 '10 at 09:38

score 1 · Answer 1 · answered Dec 03 '10 at 20:57

1

Have you looked at the filter functions e.g http://www.php.net/manual/en/function.filter-var.php

answered Dec 03 '10 at 20:57

Shaun Hare

3,771
2
24
36

score 0 · Answer 2 · answered Dec 03 '10 at 20:42

0

Sanitizing for an e-mail would be equivalent to sanitizing for HTML output. I see some suggestions on SO for HTML Purifier.

answered Dec 03 '10 at 20:42

Alin Purcaru

43,655
12
77
90

Why would you escape HTML in a plaintext email? I think he wants to protect against header injection. – ThiefMaster Dec 03 '10 at 20:47
@ThiefMaster Who said anything about plain text? Most of the emails are HTML nowadays so they should be checked for HTML injection. I don't think he referred to header injection. Why would he print the headers back to the user? – Alin Purcaru Dec 03 '10 at 21:18
1

Most emails are HTML? Not really.. luckily. HTML emails are a pest. – ThiefMaster Dec 04 '10 at 00:39
@ThiefMaster I don't know what mails you receive or send but what I use and work with is HTML. – Alin Purcaru Dec 04 '10 at 01:30

score 0 · Accepted Answer · edited May 23 '17 at 12:18

0

Since you're printing it back to the user, you need to escape any HTML content.

strip_tags() and html_special_chars() are quite useful in filtering the message content, especially if you're using html messages.

See also:
How to sanitze user input in PHP before mailing?
which mentions doing a find & replace on newlines that could allow injecting content into the mail headers.
As you're using a pre-set mail address the risk is reduced, but the subject field is still vulnerable.

edited May 23 '17 at 12:18

Community

1
1

answered Dec 03 '10 at 20:45

dig412

541
1
6
15

There's no good reason to escape HTML in an email.. especially if it's a plaintext email. – ThiefMaster Dec 03 '10 at 20:46
@ThiefMaster, But what about sanitizing for the handling of the data before I send the email? – Moshe Dec 03 '10 at 20:50
Certainly, but we don't know what he's doing with the email. Covering all the bases, even if you only expect text emails at the start, is a good tactic. – dig412 Dec 03 '10 at 20:51

PHP input sanitizer function?

3 Answers3