Cleaning user input before sending it in mail

Question

I am using PHPMailer class to send mails. Some mails contain user input. Should I clean user input before inserting it to mail body? How to do this?

Tried to google for it but haven't fount anything useful.

Have a look at this question: http://stackoverflow.com/questions/129677 — Aleks G, Jun 24 '11 at 16:40

score 3 · Answer 1 · answered Jun 24 '11 at 16:32

3

Yes, you should ALWAYS sanitize/clean user input to prevent code or SQL injections.

answered Jun 24 '11 at 16:32

Steve Nguyen

5,854
5
21
39

score 0 · Answer 2 · answered Jun 24 '11 at 16:42

0

Sanitation is always key when handling user input.

You can use strip_tags to limit the HTML tags they're allowed to use, if any.
htmlspecialchars will properly change things like < into < so they can't be evaluated as HTML.
If inserting content into a database, use the proper escape function:
- PostgreSQL - pg_escape_string
- mySQL - mysql_real_escape_string

answered Jun 24 '11 at 16:42

Michael Irigoyen

22,513
17
89
131

I am familiar with sanitizing data before inserting to databases. My question is about **mail injections**. Are thees functions (escaping functions) enough to prevent such kinds of attacks? – Andriy Kravchenko Jun 24 '11 at 16:54
Yes, stripping tags is probably the most important. – Michael Irigoyen Jun 24 '11 at 17:58

Cleaning user input before sending it in mail

2 Answers2