Posted by Cheb on 05/24/07 12:30

On Wed, 23 May 2007 18:07:04 -0400, "Edward Z. Yang"
<edwardzyang@thewritingpot.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Cheb wrote:
>> I am writing a simple 'contact us' email form and I am aware I should
>> protect it from code injection and malicious email hijacks. I have
>> used mysql_escape_string() to remove any newlines in the headers but
>> do I need to protect the message body too? Should I include MIME
>> content headers too? And should I be worried about HTML inclusion in
>> the body?
>
>Do not use mysql_escape_string(). Ever. Use mysql_real_escape_string()
>for SQL and other, more pertinent, string functions for email.

Yes, I understand it is a bad habit I have developed from doing
MySQL-based sites. Can you explain in real terms why
mysql_real_escape_string() is better than mysql_escape_string()? I've
read the php.net description but would it necessarily cause problems
if the character set isn't taken into account?

>If you don't have any clue what you're doing, I strongly recommend you
>use an external library like SwiftMailer <http://swiftmailer.org/>

I think that's a bit harsh - if I didn't have "any clue what I am
doing" then I wouldn't understand that there are serious issues with
email contact forms. I have read quite a few tutorials but got a bit
confused because so many articles have slightly different slants on
the issue so I thought it best to ask some experts here.

But thanks for the Swift link - I have downloaded it and will give it
a try. :o)

Thanks again
Chris R.

[Back to original message]