Jump to content

Sanatizing user input for email forms

Gorf

By Gorf
in PHP Coding Help

 Share

Recommended Posts

Gorf Newbie

Gorf

Posted
Posted
A couple websites that our group runs has some contact forms that users can fill out to request information or make contact with various agents in the group.  Where possible we force users to choose from options via radio buttons, drop down boxes, etc.  But in some instances it is a requirement that we allow user text input like setting thier name, or email address.  However in order to be RFC compliant we have to allow a large text input for email addresses.  That leads to some very unique opportunities to hack the page via some string injections.  Then when we compose the mail message on the back end things like malformed SMTP headers result and spam can be sent through the form.  We've taken some good steps to mitigate this with a two-step confirmation process before you can send email, and by using PHPMailer (http://phpmailer.sourceforge.net) on the backend.  However I am still looking for some suggestions and criticism on how I am sanitizing user input for these forms.

Currently all the forms ONLY allow the user to input thier name and email address and a body created from either a textarea or by various other inputs that get formatted on the backend into the body.  Once of the most common string injections is simply to do something like this for the email input:

"to:bob@nowhere.com\nSubject:BUYVIAGRA!..." etc.

Ok so anyways I use two functions:

[code]
    //Adds slashes and removes HTML tags from text that we accept from the end user.
    function clean_data( $str )
    {
    $str = strip_tags( $str );
    $str = addslashes( $str );
    return str ;
    }
   
    //defang_userinput stops people from doing things like injecting URL encoded line breaks
    //into a variable that normally would get set in the SMTP header.  It also removes line
    //breaks.  Line breaks should never be allowed in the SMTP header.
    function defang_userinput( $str )
    {
        $remove = array( "\r", "\n" );
        $str = str_replace( $remove, "", urldecode( $str ) );
       
        //With the string URL decoded, and the new lines removed, we now hand it off to the
        //clean_data function.
        return clean_data( $str );
    }
[/code]

The only other thing that I do is I chop strings down to reasonable size.  While the RFC allows 64 characters for the local-address part of an email address and 255 characters for the domain, I don't actually allow that in the form.  The text input has a maxlength set and I double check that by chopping the input down to the same size just in case.  This seems to work ok.  Can anyone offer any additional suggestions or critisisms for how I go about sanitizing user input for these email forms?

Thanks
Link to comment
Share on other sites
  • 2 weeks later...
effigy Member

effigy

Posted
Posted
Instead of removing the line breaks themselves, wouldn't you want to remove everything following them as well? It seems like you've done a pretty good job. Are you using a regex to verify the e-mail? How about mysql(i)'s real_escape_string to prevent SQL injections?
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.