mysql_real_escape_string Substitue When There is NO DB Connection

[nightkarnation]

Hey Guys...Here is my doubt:

We all know that mysql_real_escape_string only works when the php file connects to a Database.

 

What if I only have a php file that receives variables from a form and then send those variables to an email address.

Working Example:

 

//back up email
if ($action == "backupEmail")
{
	$email=$_POST['email'];
	$date = date("F j, Y");

	//send email
	if( $email == true )
	{
		$sender = $email;
		$receiver = "[email protected];
		$client_ip = $_SERVER['REMOTE_ADDR'];
		$email_body = "Email: $sender \n\nIP: $client_ip \n\nDate: $date";		
		$extra = "From: $sender\r\n" . "Reply-To: $sender \r\n" . "X-Mailer: PHP/" . phpversion();

		//echo "success=yes";

		if( mail( $receiver, "New Email Subscriber - $subject", $email_body, $extra ) ) 
		{
			echo "success=yes";
		}
		else
		{
			echo "success=no";
		}
	}
}

 

 

If I were connected to a database I would:

$email=mysql_real_escape_string($_POST['email']);

 

Any suggestions on what I could do to prevent any querie attack from the email variable coming from form?

 

Thanks in advance!

Cheers,

[Pikachu2000]

Why would you think you need to use mysql_real_escape_string() when you don't intend to use the data in a mysql DB query? For email, you need to worry more about header injection and XSS prevention.

[mentalist]

Why would you think you need to use mysql_real_escape_string() when you don't intend to use the data in a mysql DB query? For email, you need to worry more about header injection and XSS prevention.

 

hmmm.... nc

 

 

See here... http://uk2.php.net/manual/en/security.database.sql-injection.php

Basically it suggests addslashes() amongst other things...

 

 

[Andy-H]

if ( filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) !== false )
{
   //email is valid
}

 

for validating email addresses.

 

filter_var