Posted by Cheb on 05/24/07 12:15

On Wed, 23 May 2007 17:11:16 +0200, gosha bine <stereofrog@gmail.com>
wrote:

>On 23.05.2007 15:58 Cheb wrote:
>> I am writing a simple 'contact us' email form and I am aware I should
>> protect it from code injection and malicious email hijacks.
>
>google for "email injection", there are tons of infos.
>
>Basically, don't use user input in email headers, or if you must, strip
>all \r's and \n's.
>
> > I have
>> used mysql_escape_string() to remove any newlines in the headers but
>
>mysql_escape_string has nothing to do with emails. Use string functions:
>str_replace, preg_replace or similar.
>
>> Should I include MIME
>> content headers too? And should I be worried about HTML inclusion in
>> the body?
>
>No, unless you're sending real multipart (e.g. text + html) mails.
>If this is the case I'd suggest a professional mime package like
>phpmailer, swift etc.

Thanks for the suggestions - much appreciated.

I have developed a few database-oriented PHP sites (hence the bad
habit of using mysql_escape_string() to render user input from forms
'safe'), but I am self taught so I know I have plenty to learn. I
think for now I will go with yours and Edward's suggestion of Swift
and read-up on the techniques/pitfalls later when I come to write my
own module.

Thanks again
Chris R.

[Back to original message]