mmmuppet Posted November 9, 2008 Share Posted November 9, 2008 Hi there I tried searching the forums but the search page is asking me to read a verification code that isn't there. So here goes... I've created a few contact forms recently but I haven't been filtering the input. Now that I've found time to revisit them I'm not sure what I should be filtering for! Is it just the newline character that needs to be taken out from each user-submitted variable? Or should I check for other things? Thanks James Link to comment https://forums.phpfreaks.com/topic/132043-dangerous-email-characterspatterns/ Share on other sites More sharing options...
genericnumber1 Posted November 9, 2008 Share Posted November 9, 2008 Err what's the input being used for? I see the title says email, but for what? subject? sender? receiver? email body? It really depends on the use of the input what you should filter it for. Link to comment https://forums.phpfreaks.com/topic/132043-dangerous-email-characterspatterns/#findComment-686161 Share on other sites More sharing options...
mmmuppet Posted November 9, 2008 Author Share Posted November 9, 2008 Sorry, it's just a simple contact form - it simply takes a name and message and mails using mail(). So it all goes in the message body. Link to comment https://forums.phpfreaks.com/topic/132043-dangerous-email-characterspatterns/#findComment-686167 Share on other sites More sharing options...
Mchl Posted November 9, 2008 Share Posted November 9, 2008 I'd guess at least for body and sender, also maybe subject... For body I'd strip some dangerous html tags like < sctipt> or < iframe>. Link to comment https://forums.phpfreaks.com/topic/132043-dangerous-email-characterspatterns/#findComment-686168 Share on other sites More sharing options...
genericnumber1 Posted November 9, 2008 Share Posted November 9, 2008 I would use htmlentities() on the input then to keep them from using any html tags. Without html, I don't think there is anything dangerous they could put in the body of an email. Link to comment https://forums.phpfreaks.com/topic/132043-dangerous-email-characterspatterns/#findComment-686174 Share on other sites More sharing options...
mmmuppet Posted November 9, 2008 Author Share Posted November 9, 2008 I thought there were ways to force certain headers... maybe I misunderstood... Link to comment https://forums.phpfreaks.com/topic/132043-dangerous-email-characterspatterns/#findComment-686182 Share on other sites More sharing options...
genericnumber1 Posted November 10, 2008 Share Posted November 10, 2008 If you're setting the From: header, yes you could do something like inject extra headers, but since it's the body, nothing that I know of can do that. Link to comment https://forums.phpfreaks.com/topic/132043-dangerous-email-characterspatterns/#findComment-686467 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.