Re: [PHP] safely using input for mail

Sun, 12 Sep 2004 20:25:47 -0700 

John, et al --

[Been a while!  How ya been?]

...and then John Holmes said...
% 
% David T-G wrote:
% 
% >I'd like some sanity checks on safely using input for sending mail.  I'm
...
% >At the moment, I am running escapeshellcmd() on the From:, To:, Subject:,
...
% >his own bandwidth limits).  Unfortunately, escapeshellcmd() also escapes
% >the ? and &s in the URL and breaks it; I think it will have to go away.
% >I'm also ready to believe that I've overlooked half a dozen other things.
% >
% >How would you guys tackle this?
% 
% This isn't what escapeshellcmd() is for; not sure why you chose that one.

Noobness, I suppose :-)  I wanted to avoid having problematic commands
fed in to break my script; perhaps that's only a DB-type exploit (though
an answer that simple doesn't seem likely).


% 
% Are you sending this as an HTML or Text email? Either way, you control 
% the body of the email (the page that's being sent), so you don't really 
% have to worry about that.

Just text.


% 
% If you're sending an HTML mail, then use htmlentities() on the text 
% before putting it in the email. If you're sending a text email, then you 
% can strip_tags() from it.

Ah; OK.


% 
% The biggest thing to look our for is mail header injection. If you're 

Indeed.  I figured as much, but escapeshellcmd() is as far as I got.


% taking any user input and putting it into the headers (from, to, 
% subject, etc), then newlines need to be stripped. You're allowing the 

Ahhhhhh...  That makes sense.  Thanks.


% user to set the To: address, I assume (the recipients). If you're 
% sticking that $to varable from the user directly into mail(), you could 
% be vulnerable (same if you create a From: header or use user input in 
% the subject).

Yep.


% 
% For example, say you're collecting my email address for the From: header.
% 
% $headers .= "From: {$_POST['email']}\r\n";
...
% So strip newlines from user input or reject input if it contains newlines.
% 
% str_replace(array("\r","\n",'',$text)

For the archives, you need ^^^^ here a closing ) on your array :-)


% 
% Is one way to do it.
% 
% If I left anything out, I'm sure Chris will jump on it. :)

Good; thanks to all in advance!


% 
% -- 
% 
% ---John Holmes...


HAND

:-D
-- 
David T-G
[EMAIL PROTECTED]
http://justpickone.org/davidtg/      Shpx gur Pbzzhavpngvbaf Qrprapl Npg!

Attachment: pgpKH5GWtNSzL.pgp
Description: PGP signature

Reply via email to