Escape String to Use in Mail()

Escape string to use in mail()

The idea behind email-injection is that attacker inject line feed (LF) in the email headers and so he adds as many headers as he wants. Stripping those line feeds will protect you from this attack. For detailed info check http://www.phpsecure.info/v2/article/MailHeadersInject.en.php

The best practice is to rely on a well-written, frequently updated and widely-used code. For that I would suggest using PEAR_MAIL OR Zend_Mail

If you don't want to load those modules or you need to keep things very simple. You can extract the filtering functionality from those modules. Although I do recommend to use them and frequently update the library so that if new attack appears in future you will just need to update your library (Pear or Zend) and you are done.

This is the function that sanitize headers in Pear Mail package:

function _sanitizeHeaders(&$headers)
{
    foreach ($headers as $key => $value) {
        $headers[$key] =
            preg_replace('=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i',
                         null, $value);
    }
}

Zend_Mail uses different filter for email,name and other fields:

function _filterEmail($email)
{
    $rule = array("\r" => '',
                  "\n" => '',
                  "\t" => '',
                  '"'  => '',
                  ','  => '',
                  '<'  => '',
                  '>'  => '',
    );

    return strtr($email, $rule);
}

function _filterName($name)
{
    $rule = array("\r" => '',
                  "\n" => '',
                  "\t" => '',
                  '"'  => "'",
                  '<'  => '[',
                  '>'  => ']',
    );

    return trim(strtr($name, $rule));
}

function _filterOther($data)
{
    $rule = array("\r" => '',
                  "\n" => '',
                  "\t" => '',
    );

    return strtr($data, $rule);
}

Do I need to escape POST when sending emails?

All output from your code should be escaped or sanitised in the appropriate way. That includes output that is sent as an email.

When it comes to writing email headers, you need to be extremely vigilant to protect yourself against injection attacks that could result in your mail being sent to arbitrary addresses, and with arbitrary content.

Ultimately this comes down to ensuring that your email addresses are valid and do not contain any line feed characters, etc, and your current FILTER_VALIDATE_EMAIL code is a good start at handling this.

However as it stands, your program basically allows a user to send any content they like to any recipient they like. They only hard-coded part is your 'from' address. This sounds like an open invitation for it to be used to send spam, regardless of any escaping you may be doing.

If this is your actual code, I advise you to reconsider what it's doing!

Once you've done that, I will advise you to download a copy of the phpMailer class, and use that for sending emails in PHP rather than the built-in mail() function. It's a lot easier to use, has a lot more functionality, and most importantly, it does all the validation, sanitisation and escaping for you, so you don't need to worry about it any more.

Hope that helps.

What is the correct way to escape a string for a mailto link

You just need to rawurlencode() the link at the end of the email address according the the W3C standards.

There is an example on the PHP Manual for urlencode (search for mailto on that page):
http://php.net/manual/en/function.urlencode.php

Escaping dangerous characters in emails in PHP

Disregard my other answer. I read your question wrong.

Here's a function I've been using to verify an email conforms to RFC standards:

preg_match("/^([a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*)@((?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9]))?$/i",$email)

How to escape strings in Laravel 5.4 Markdown mails?

ok, i found my solution! You have to create a new mail component...

At first you must publish the email components from laravel with php artisan vendor:publish --tag=laravel-mail (https://laravel.com/docs/5.4/mail#customizing-the-components). Now you have a vendor folder in your resources/views.

Go into resources/views/mail/html and create a new .blade.php file. My file looks like this:

<table class="notification" align="center" width="100%" cellpadding="0" cellspacing="0">
    <tr>
        <td class="notification-meta">
            {{ $time }}
        </td>
    </tr>
    <tr>
        <td class="notification-content">
            {{ $slot }}
        </td>
    </tr>
</table>

You must create the same file under resources/views/markdown/html for the plain text mails.

If you look into resources/views/mail/html/footer.blade.php you can see the following function in the template:

{{ Illuminate\Mail\Markdown::parse($slot) }}

This function parse markdown to html. I don't use the function in my template.

Now i can use my component in the mail like:

# Message for you!

Hello {{ $user->name }},

@component('mail::notification', ['time' => '06.02.2017' ])
{{ $text }}
@endcomponent

Greetings

And the $text will not being parsed from markdown to html :)

PHP How to encode(escape) @, for email validation?

The query that you try to execute is:

SELECT * FROM Email WHERE Email = email@email.com

Email is in this case a string, and a string needs to be quoted.

function retrieve_where($table, $table_id, $table_name, $value) {
    $table = $this->db->query("Select * FROM " . mysql_real_escape_string($table) . " Where " . mysql_real_escape_string($table_id) . " = '" . mysql_real_escape_string($value) ."'");
    $records = array();
    foreach ($table->result() as $row) {
        $records[] = $row->$table_name;
    }
    return $records;
}

Dont forget to escape your query with mysql_real_escape_string(). It will protect you against injections.

---

Related Topics