Posted by Edward Z. Yang on 05/23/07 22:07

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cheb wrote:
> I am writing a simple 'contact us' email form and I am aware I should
> protect it from code injection and malicious email hijacks. I have
> used mysql_escape_string() to remove any newlines in the headers but
> do I need to protect the message body too? Should I include MIME
> content headers too? And should I be worried about HTML inclusion in
> the body?

Do not use mysql_escape_string(). Ever. Use mysql_real_escape_string()
for SQL and other, more pertinent, string functions for email.

If you don't have any clue what you're doing, I strongly recommend you
use an external library like SwiftMailer <http://swiftmailer.org/>

- --
Edward Z. Yang GnuPG: 0x869C48DA
HTML Purifier <htmlpurifier.org> Anti-XSS HTML Filter
[[ 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA ]]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGVLsIqTO+fYacSNoRAk0bAJ9Sioaq3vQvH38Q+pZN8DVCLvK2PQCggaeQ
gwSH6WYTRAZNzmfrXjXLNSM=
=jcLp
-----END PGP SIGNATURE-----

• Next in forum: Re: creating a session variable on every page
• Prev in forum: Re: Poll's options - two queries to MySQL or Unserialize()?
• Thread view: Re: Protecting 'contact us' emailing forms

[Reply to this message]