Jump to content


Sanatizing user input for email forms

  • Please log in to reply
2 replies to this topic

#1 Gorf

  • Members
  • PipPip
  • Member
  • 15 posts

Posted 06 July 2006 - 05:17 PM

A couple websites that our group runs has some contact forms that users can fill out to request information or make contact with various agents in the group.  Where possible we force users to choose from options via radio buttons, drop down boxes, etc.  But in some instances it is a requirement that we allow user text input like setting thier name, or email address.  However in order to be RFC compliant we have to allow a large text input for email addresses.  That leads to some very unique opportunities to hack the page via some string injections.  Then when we compose the mail message on the back end things like malformed SMTP headers result and spam can be sent through the form.  We've taken some good steps to mitigate this with a two-step confirmation process before you can send email, and by using PHPMailer (http://phpmailer.sourceforge.net) on the backend.  However I am still looking for some suggestions and criticism on how I am sanitizing user input for these forms.

Currently all the forms ONLY allow the user to input thier name and email address and a body created from either a textarea or by various other inputs that get formatted on the backend into the body.  Once of the most common string injections is simply to do something like this for the email input:

"to:bob@nowhere.com\nSubject:BUYVIAGRA!..." etc.

Ok so anyways I use two functions:

    //Adds slashes and removes HTML tags from text that we accept from the end user.
    function clean_data( $str ) 
    	$str = strip_tags( $str );
    	$str = addslashes( $str );
    	return str ;
    //defang_userinput stops people from doing things like injecting URL encoded line breaks
    //into a variable that normally would get set in the SMTP header.  It also removes line 
    //breaks.  Line breaks should never be allowed in the SMTP header.
    function defang_userinput( $str )
        $remove = array( "\r", "\n" );
        $str = str_replace( $remove, "", urldecode( $str ) );
        //With the string URL decoded, and the new lines removed, we now hand it off to the 
        //clean_data function.
        return clean_data( $str );

The only other thing that I do is I chop strings down to reasonable size.  While the RFC allows 64 characters for the local-address part of an email address and 255 characters for the domain, I don't actually allow that in the form.  The text input has a maxlength set and I double check that by chopping the input down to the same size just in case.  This seems to work ok.  Can anyone offer any additional suggestions or critisisms for how I go about sanitizing user input for these email forms?


#2 Gorf

  • Members
  • PipPip
  • Member
  • 15 posts

Posted 18 July 2006 - 08:04 AM


#3 effigy

  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 18 July 2006 - 02:06 PM

Instead of removing the line breaks themselves, wouldn't you want to remove everything following them as well? It seems like you've done a pretty good job. Are you using a regex to verify the e-mail? How about mysql(i)'s real_escape_string to prevent SQL injections?
Regexp | Unicode Article | Letter Database

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users