Jump to content


This topic is now archived and is closed to further replies.


Sanatizing user input for email forms

Recommended Posts

A couple websites that our group runs has some contact forms that users can fill out to request information or make contact with various agents in the group.  Where possible we force users to choose from options via radio buttons, drop down boxes, etc.  But in some instances it is a requirement that we allow user text input like setting thier name, or email address.  However in order to be RFC compliant we have to allow a large text input for email addresses.  That leads to some very unique opportunities to hack the page via some string injections.  Then when we compose the mail message on the back end things like malformed SMTP headers result and spam can be sent through the form.  We've taken some good steps to mitigate this with a two-step confirmation process before you can send email, and by using PHPMailer (http://phpmailer.sourceforge.net) on the backend.  However I am still looking for some suggestions and criticism on how I am sanitizing user input for these forms.

Currently all the forms ONLY allow the user to input thier name and email address and a body created from either a textarea or by various other inputs that get formatted on the backend into the body.  Once of the most common string injections is simply to do something like this for the email input:

"to:bob@nowhere.com\nSubject:BUYVIAGRA!..." etc.

Ok so anyways I use two functions:

    //Adds slashes and removes HTML tags from text that we accept from the end user.
    function clean_data( $str )
    $str = strip_tags( $str );
    $str = addslashes( $str );
    return str ;
    //defang_userinput stops people from doing things like injecting URL encoded line breaks
    //into a variable that normally would get set in the SMTP header.  It also removes line
    //breaks.  Line breaks should never be allowed in the SMTP header.
    function defang_userinput( $str )
        $remove = array( "\r", "\n" );
        $str = str_replace( $remove, "", urldecode( $str ) );
        //With the string URL decoded, and the new lines removed, we now hand it off to the
        //clean_data function.
        return clean_data( $str );

The only other thing that I do is I chop strings down to reasonable size.  While the RFC allows 64 characters for the local-address part of an email address and 255 characters for the domain, I don't actually allow that in the form.  The text input has a maxlength set and I double check that by chopping the input down to the same size just in case.  This seems to work ok.  Can anyone offer any additional suggestions or critisisms for how I go about sanitizing user input for these email forms?


Share this post

Link to post
Share on other sites
Instead of removing the line breaks themselves, wouldn't you want to remove everything following them as well? It seems like you've done a pretty good job. Are you using a regex to verify the e-mail? How about mysql(i)'s real_escape_string to prevent SQL injections?

Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.