Reply to Re: Protecting 'contact us' emailing forms — PHP Programming Language

Posted by gosha bine on 05/23/07 15:11

On 23.05.2007 15:58 Cheb wrote:
> I am writing a simple 'contact us' email form and I am aware I should
> protect it from code injection and malicious email hijacks.

google for "email injection", there are tons of infos.

Basically, don't use user input in email headers, or if you must, strip
all \r's and \n's.

> I have
> used mysql_escape_string() to remove any newlines in the headers but

mysql_escape_string has nothing to do with emails. Use string functions:
str_replace, preg_replace or similar.

> Should I include MIME
> content headers too? And should I be worried about HTML inclusion in
> the body?

No, unless you're sending real multipart (e.g. text + html) mails.
If this is the case I'd suggest a professional mime package like
phpmailer, swift etc.

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация