nightkarnation Posted October 25, 2010 Share Posted October 25, 2010 Hey Guys...Here is my doubt: We all know that mysql_real_escape_string only works when the php file connects to a Database. What if I only have a php file that receives variables from a form and then send those variables to an email address. Working Example: //back up email if ($action == "backupEmail") { $email=$_POST['email']; $date = date("F j, Y"); //send email if( $email == true ) { $sender = $email; $receiver = "[email protected]; $client_ip = $_SERVER['REMOTE_ADDR']; $email_body = "Email: $sender \n\nIP: $client_ip \n\nDate: $date"; $extra = "From: $sender\r\n" . "Reply-To: $sender \r\n" . "X-Mailer: PHP/" . phpversion(); //echo "success=yes"; if( mail( $receiver, "New Email Subscriber - $subject", $email_body, $extra ) ) { echo "success=yes"; } else { echo "success=no"; } } } If I were connected to a database I would: $email=mysql_real_escape_string($_POST['email']); Any suggestions on what I could do to prevent any querie attack from the email variable coming from form? Thanks in advance! Cheers, Link to comment https://forums.phpfreaks.com/topic/216822-mysql_real_escape_string-substitue-when-there-is-no-db-connection/ Share on other sites More sharing options...
Pikachu2000 Posted October 25, 2010 Share Posted October 25, 2010 Why would you think you need to use mysql_real_escape_string() when you don't intend to use the data in a mysql DB query? For email, you need to worry more about header injection and XSS prevention. Link to comment https://forums.phpfreaks.com/topic/216822-mysql_real_escape_string-substitue-when-there-is-no-db-connection/#findComment-1126405 Share on other sites More sharing options...
mentalist Posted October 25, 2010 Share Posted October 25, 2010 Why would you think you need to use mysql_real_escape_string() when you don't intend to use the data in a mysql DB query? For email, you need to worry more about header injection and XSS prevention. hmmm.... nc See here... http://uk2.php.net/manual/en/security.database.sql-injection.php Basically it suggests addslashes() amongst other things... Link to comment https://forums.phpfreaks.com/topic/216822-mysql_real_escape_string-substitue-when-there-is-no-db-connection/#findComment-1126411 Share on other sites More sharing options...
Andy-H Posted October 25, 2010 Share Posted October 25, 2010 if ( filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) !== false ) { //email is valid } for validating email addresses. filter_var Link to comment https://forums.phpfreaks.com/topic/216822-mysql_real_escape_string-substitue-when-there-is-no-db-connection/#findComment-1126423 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.