Escape string to use in mail()
The idea behind email-injection is that attacker inject line feed (LF) in the email headers and so he adds as many headers as he wants. Stripping those line feeds will protect you from this attack. For detailed info check http://www.phpsecure.info/v2/article/MailHeadersInject.en.php
The best practice is to rely on a well-written, frequently updated and widely-used code. For that I would suggest using PEAR_MAIL OR Zend_Mail
If you don't want to load those modules or you need to keep things very simple. You can extract the filtering functionality from those modules. Although I do recommend to use them and frequently update the library so that if new attack appears in future you will just need to update your library (Pear or Zend) and you are done.
This is the function that sanitize headers in Pear Mail package:
function _sanitizeHeaders(&$headers)
{
foreach ($headers as $key => $value) {
$headers[$key] =
preg_replace('=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i',
null, $value);
}
}
Zend_Mail uses different filter for email,name and other fields:
function _filterEmail($email)
{
$rule = array("\r" => '',
"\n" => '',
"\t" => '',
'"' => '',
',' => '',
'<' => '',
'>' => '',
);
return strtr($email, $rule);
}
function _filterName($name)
{
$rule = array("\r" => '',
"\n" => '',
"\t" => '',
'"' => "'",
'<' => '[',
'>' => ']',
);
return trim(strtr($name, $rule));
}
function _filterOther($data)
{
$rule = array("\r" => '',
"\n" => '',
"\t" => '',
);
return strtr($data, $rule);
}
Do I need to escape POST when sending emails?
All output from your code should be escaped or sanitised in the appropriate way. That includes output that is sent as an email.
When it comes to writing email headers, you need to be extremely vigilant to protect yourself against injection attacks that could result in your mail being sent to arbitrary addresses, and with arbitrary content.
Ultimately this comes down to ensuring that your email addresses are valid and do not contain any line feed characters, etc, and your current FILTER_VALIDATE_EMAIL
code is a good start at handling this.
However as it stands, your program basically allows a user to send any content they like to any recipient they like. They only hard-coded part is your 'from' address. This sounds like an open invitation for it to be used to send spam, regardless of any escaping you may be doing.
If this is your actual code, I advise you to reconsider what it's doing!
Once you've done that, I will advise you to download a copy of the phpMailer class, and use that for sending emails in PHP rather than the built-in mail()
function. It's a lot easier to use, has a lot more functionality, and most importantly, it does all the validation, sanitisation and escaping for you, so you don't need to worry about it any more.
Hope that helps.
What is the correct way to escape a string for a mailto link
You just need to rawurlencode()
the link at the end of the email address according the the W3C standards.
There is an example on the PHP Manual for urlencode (search for mailto on that page):
http://php.net/manual/en/function.urlencode.php
Escaping dangerous characters in emails in PHP
Disregard my other answer. I read your question wrong.
Here's a function I've been using to verify an email conforms to RFC standards:
preg_match("/^([a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*)@((?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9]))?$/i",$email)
How to escape strings in Laravel 5.4 Markdown mails?
ok, i found my solution! You have to create a new mail component...
At first you must publish the email components from laravel with php artisan vendor:publish --tag=laravel-mail
(https://laravel.com/docs/5.4/mail#customizing-the-components). Now you have a vendor
folder in your resources/views
.
Go into resources/views/mail/html
and create a new .blade.php
file. My file looks like this:
<table class="notification" align="center" width="100%" cellpadding="0" cellspacing="0">
<tr>
<td class="notification-meta">
{{ $time }}
</td>
</tr>
<tr>
<td class="notification-content">
{{ $slot }}
</td>
</tr>
</table>
You must create the same file under resources/views/markdown/html
for the plain text mails.
If you look into resources/views/mail/html/footer.blade.php
you can see the following function in the template:
{{ Illuminate\Mail\Markdown::parse($slot) }}
This function parse markdown to html. I don't use the function in my template.
Now i can use my component in the mail like:
# Message for you!
Hello {{ $user->name }},
@component('mail::notification', ['time' => '06.02.2017' ])
{{ $text }}
@endcomponent
Greetings
And the $text
will not being parsed from markdown to html :)
PHP How to encode(escape) @, for email validation?
The query that you try to execute is:
SELECT * FROM Email WHERE Email = email@email.com
Email is in this case a string, and a string needs to be quoted.
function retrieve_where($table, $table_id, $table_name, $value) {
$table = $this->db->query("Select * FROM " . mysql_real_escape_string($table) . " Where " . mysql_real_escape_string($table_id) . " = '" . mysql_real_escape_string($value) ."'");
$records = array();
foreach ($table->result() as $row) {
$records[] = $row->$table_name;
}
return $records;
}
Dont forget to escape your query with mysql_real_escape_string()
. It will protect you against injections.
Related Topics
Php: How to Resolve a Relative Url
PHP Function for Get All Mondays Within Date Range
How to Integrate Wordpress Template with Codeigniter
What Is the Best Practice to Export Canvas with High Quality Images
How to Execute Stored Procedure from Laravel
Converting a Number Base 10 to Base 62 (A-Za-Z0-9)
How to Disable Redirection After Login_Check in Symfony 2
Calculating Distance Between Zip Codes in PHP
How to Auto Call Function in PHP for Every Other Function Call
Pdo + MySQL and Broken Utf-8 Encoding
How to Get Wkhtmltopdf to Execute via PHP
How to Pull First 100 Characters of a String in PHP