How to Sanitze User Input in PHP Before Mailing

How to sanitze user input in PHP before mailing?

Sanitize the post variable with filter_var().

Example here. Like:

echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);   

Do I need to sanitize user-inputted data, before sending it in an email

The escaping entirely depends on the context the data is embedded into.

Are you sending HTML mails? Then you have HTML context, and htmlspecialchars() must be used.

If you are sending plain text mails, there is no escaping for plain text.

The only threat would be that your mail client has some bug that interprets the plain text as something executable and then acts up when you get some strange names and mail adresses.

But this only applies to the mail's content, not the actual headers.

You are using a custom mail header From. Do not use this. From is used in spam filters. If I would enter my mail address, and you are sending this mail with From: my@mail, you are impersonating my own email server. Spam used to use this to hide the real source, and to redirect complaints and error feedback to the unhappy guy behind that mail address. Because of this today there are mechanisms that will prevent such abuse. So just do not pretend I am sending this mail - YOU do.

If you want to be able to answer me with a click on the reply button, use the Reply-to header, but always use From: dont-answer@YOURWEBSITE.example.

Additionally, these custom headers are the entry point for bad things. Make sure you are only adding mail addresses. Make sure you do not add any line feed characters. These would make the mailserver think that there is a new header coming up, and this might lead to mail header injection.

How can I sanitize user input with PHP?

It's a common misconception that user input can be filtered. PHP even has a (now deprecated) "feature", called magic-quotes, that builds on this idea. It's nonsense. Forget about filtering (or cleaning, or whatever people call it).

What you should do, to avoid problems, is quite simple: whenever you embed a a piece of data within a foreign code, you must treat it according to the formatting rules of that code. But you must understand that such rules could be too complicated to try to follow them all manually. For example, in SQL, rules for strings, numbers and identifiers are all different. For your convenience, in most cases there is a dedicated tool for such an embedding. For example, when you need to use a PHP variable in the SQL query, you have to use a prepared statement, that will take care of all the proper formatting/treatment.

Another example is HTML: If you embed strings within HTML markup, you must escape it with htmlspecialchars. This means that every single echo or print statement should use htmlspecialchars.

A third example could be shell commands: If you are going to embed strings (such as arguments) to external commands, and call them with exec, then you must use escapeshellcmd and escapeshellarg.

Also, a very compelling example is JSON. The rules are so numerous and complicated that you would never be able to follow them all manually. That's why you should never ever create a JSON string manually, but always use a dedicated function, json_encode() that will correctly format every bit of data.

And so on and so forth ...

The only case where you need to actively filter data, is if you're accepting preformatted input. For example, if you let your users post HTML markup, that you plan to display on the site. However, you should be wise to avoid this at all cost, since no matter how well you filter it, it will always be a potential security hole.

User inputs, clean and sanitize before sending to db

First, keep the text logical and clean:

trim() -- OK
htmlentities($comment, ENT_NOQUOTES)  -- No; do later
mysqli_real_escape_string()  -- Yes; required by API
nl2br()  -- No; see below

The logic behind those recommendations: The data in the database should be just plain data. Not htmlentities, not br-tags. But, you must do the escape_string in order to pass data from PHP to MySQL; the escapes will not be stored.

But... That is only the middle step. Where did the data come from? Older versions of PHP try to "protect" you be adding escapes and other junk that works OK for HTML, but screws up MySQL. Turn off such magic escaping, and get the raw data.

Where does the data go to? Probably HTML? After SELECTing the data back out of the table, then first do htmlentities() and (optionally) nl2br();

Note, if you are expecting to preserve things like <I> (for italic), you are asking for trouble -- big trouble. All a hacker needs to do is <script> ... to inject all sorts of nastiness into your web page and possibly your entire system.

Sanitizing user input that will later be e-mailed - what should I be worried about?

You need to be aware of Email Header Injection attacks.

Basically if you strip \n and \r from the from the $name, $from, $to and $subject you should be fairly safe, but it's always best to take a white list approach.

PHP sanitisation for user input

Two things are important at this point:

• Ensuring the user doesn't comprise your data: Prevent SQL Injections

See SQL Injection documentation here:

http://php.net/manual/en/security.database.sql-injection.php

• Validating the email address to ensure the user did input a correct email

http://www.linuxjournal.com/article/9585

---

Related Topics