What’s a method to sanitize PHP POST data for passing to a mail function? (I prefer a method that’s not part of the mysql_function() family of functions.)
I take the data, sanitize it, print it back to the user and send it in an email to a preset address.
EDIT: I’m just sending the email to our email address so we can send out a mailing to the address in the email.
Advertisement
Answer
Since you’re printing it back to the user, you need to escape any HTML content.
strip_tags()
and
html_special_chars() are quite useful in filtering the message content, especially if you’re using html messages.
See also:
How to sanitze user input in PHP before mailing?
which mentions doing a find & replace on newlines that could allow injecting content into the mail headers.
As you’re using a pre-set mail address the risk is reduced, but the subject field is still vulnerable.