Best way to check user input for a mail form

[thirtythree]

I know putting user input into a database is a big deal as far as security goes, but I was wondering what if anything needs to be checked when putting user input into an e-mail message, and what the best way to do that is. User input will only go into the body of the message, not the header. Most of the fields will be 50 characters or less, but one needs to be fairly large.

 

[DaveSimmons]

You can either require "good" content or reject "bad" content.

On one form we reject it if a class size field does not contain a valid number.

On another form we reject it if a textarea includes "http" in the content.

Also, don't trust that any hidden variables will be valid, since a bot isn't really using the HTML page it's generating and sending the form values for all fields on its own.

 

[thirtythree]

Originally posted by: DaveSimmons
You can either require "good" content or reject "bad" content.

On one form we reject it if a class size field does not contain a valid number.

On another form we reject it if a textarea includes "http" in the content.

Also, don't trust that any hidden variables will be valid, since a bot isn't really using the HTML page it's generating and sending the form values for all fields on its own.

There are a couple fields that need something specific entered in (e.g., e-mail address), and there are checks for them, but I'm wondering if there's anything that needs to be checked for in an open-ended field that can contain a variety of characters. Are there any characters that could be entered in that would mess up the script? Basically the path of a variable is...

$var1 = $_POST['var1'];
$email_body = "..." . $var1 . "...";
mail($email_to, $email_subject, $email_body);

Nothing too complicated. I'm not too concerned about bots at this point, as we've never had issues before and this form will be up for a total of 2 weeks.

 

[Atheus]

Originally posted by: thirtythree
I'm not too concerned about bots at this point

That's the most common problem - someone using your system to send spam. If you're just trying to prevent your site being compromised, as it might be if the data was going into a database, then you should be OK.

I suppose malformed variables could be used to exploit the php mail() function or your sendmail server, but I think this is quite unlikely.

BTW shouldn't this be in security? It doesn't get much traffic though, unfortunately.

 

[thirtythree]

Originally posted by: Atheus

Originally posted by: thirtythree
I'm not too concerned about bots at this point

That's the most common problem - someone using your system to send spam. If you're just trying to prevent your site being compromised, as it might be if the data was going into a database, then you should be OK.

I suppose malformed variables could be used to exploit the php mail() function or your sendmail server, but I think this is quite unlikely.

BTW shouldn't this be in security? It doesn't get much traffic though, unfortunately.

Maybe so. I meant to put it in Programming. Is there a way to exploit the mail() function to send spam since none of the user input is even going into the header? The to and from addresses are static addresses.

 

[nakedfrog]

Just google for a good email checking regular expression and use that.

 

[Alone]

Make sure everything is escaped and you're fine.

 

[troytime]

i'd still escape it or validate it somehow. its just good practice

 

[manko]

escape it
strip it
check length
cast it as the type you need
htmlspecialchars
check for line returns/new lines
put a session timer so they can't flood

 

[thirtythree]

When you guys say to escape the input, do you mean like this?

if (get_magic_quotes_gpc()) {
$var1=$_POST['var1'];
$var2=$_POST['var2'];
$var3=$_POST['var3'];
} else {
$var1=addslashes($_POST['var1']);
$var2=addslashes($_POST['var2']);
$var3=addslashes($_POST['var3']);
}

I'll at least check the lengths of the data as well.

EDIT: Okay, one little problem. When I do this, it adds slashes to the e-mail it sends. If I strip slashes right before the end, will this negate the value of adding them in the first place?

 

[clamum]

I thought addslashes() was for adding/retrieving from a DB and displaying on a page, but I'm not positive.

 

[thirtythree]

Originally posted by: clamum
I thought addslashes() was for adding/retrieving from a DB and displaying on a page, but I'm not positive.

It's certainly possible... the function parameter is str, "the string to be escaped," so it sounded right. Is there another way to escape input?

 

[manko]

Escaping input also is one aspect of input filtering that may break some script injections.

Here are some links you might look at for ideas:

http://cyberai.users.phpclasse...owse/package/2189.html
http://htmlpurifier.org/
http://www.codebelay.com/killxss.phps