wintallo Posted January 24, 2007 Share Posted January 24, 2007 I am writing a simple PHP emailer script and I was wondering if there was any security measures I should take to check the user's input for an email [b]message[/b] and [b]subject[/b]. Here's my code.[code]<?phpif ( isset($_POST['submit']) ) { if( !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $_POST['sender'])) { $message = "The sender email you entered is not valid."; } else { if( !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $_POST['recipient'])) { $message = "The recipient email you entered is not valid."; } else { // check message $_POST['message'] and subject $_POST['subject'] validity // if okay, then send the email and set variable $end to "Your message has been sent." } } }?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Simple Emailer - By [..]</title><meta name="keywords" content="encrypt, cipher, hash, input, md5, sha1, php, encrypter, encryptor, encryption" /></head><body><p style="font-size: large; font-weight: bold;">Simple Emailer - By [..]</p><p> <strong><?php echo $message; ?></strong><br /></p><form name="encrypt" method="post" action=""> <p> <label>Sender <input type="text" name="sender" /> </label> </p> <p> <label>Recipient <input type="text" name="recipient" /> </label> </p> <p> <label>Subject <input type="text" name="subject" /> </label> </p> <p> <label>Message <textarea name="textarea" cols="30" rows="3"></textarea> </label> </p> <p> <input type="submit" name="submit" value="Send" /> </p></form><br /><?php echo $end; ?><p></p>Copyright © <?php echo date(Y); ?> [..]. All Rights Reserved.</body></html>[/code]Also, what is the best way to clear (or make un-meaningfull) an email's headers, using PHP. I want to do this so the email set is relativeley anonymous. Link to comment https://forums.phpfreaks.com/topic/35506-security-in-email-message-and-subject-clear-emails-headers/ Share on other sites More sharing options...
trq Posted January 24, 2007 Share Posted January 24, 2007 [quote]I was wondering if there was any security measures I should take to check the user's input for an email message and subject.[/quote]This would really depend on what you want the users to be able to send. Can't see how we can offer much advice here.[quote]Also, what is the best way to clear (or make un-meaningfull) an email's headers, using PHP.[/quote]If you start toying with the headers too much the email won't get delivered. Most mail clients will consider it spam. Link to comment https://forums.phpfreaks.com/topic/35506-security-in-email-message-and-subject-clear-emails-headers/#findComment-168025 Share on other sites More sharing options...
wintallo Posted January 24, 2007 Author Share Posted January 24, 2007 Thanks for the Reply!I just want the user to be able to send text only. No attachments, no html, no pictures, etc... Link to comment https://forums.phpfreaks.com/topic/35506-security-in-email-message-and-subject-clear-emails-headers/#findComment-168034 Share on other sites More sharing options...
trq Posted January 24, 2007 Share Posted January 24, 2007 By default php sends emails as plain text. If you want to strip out any attempt at html tags use [url=http://php.net/strip_tags]strip_tags[/url](). Link to comment https://forums.phpfreaks.com/topic/35506-security-in-email-message-and-subject-clear-emails-headers/#findComment-168039 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.