html form php security

[daydreamer]

I have a contact form, which asks for name, email and a message, then emails the message to me.

 

Is there any function I should be using to escape characters to prevent people running code in my PHP?

 

e.g if they submit

".exit;."

as the message it might run?

 

Thanks.

[Masna]

Running PHP code from a form = not possible.

 

However you might want to escape using htmlspecialchars() to prevent JavaScript hacking.

[Andy17]

Unless you're echoing the form value, you shouldn't worry about people running PHP codes.

 

If you for some reason plan on echoing one of the form values, you could try something like this:

 

<?php

$message = $_POST['your_form_field'];
$message = strip_tags(htmlspecialchars($message, ENT_QUOTES));

?>

 

This also protects you from JavaScript hacking like Masna wrote.

[daydreamer]

I dont plan on echoing the form values, just emailing them to me. Will I still need to use the above code to prevent code injection?

 

Thanks.

[Shaun]

if your not using any sql, you dont have to worry about injection?

[daydreamer]

ok cool.

 

its just im sure i read somewhere that it was possible for hackers to inject code into php.