Filtering of user input before sending per email
Question
I'm creating a simple feedback form in PHP: The user can just enter some comments/suggestions etc. about my site and click "Send feedback". Then the text he entered is send as the body of an email directly to me (ie I set the recipient address by myself, user's input is only used within the body of th mail).
Now I'm not sure, what sort of attacks would be possible if I simply take the unfiltered text and insert it into the email body.
I'm currently working with the Joomla platform (ie I'm using Joomla's JMail functionality), but I think the question is more general: There's a lot of information about SQL injection and Cross-Site-Scripting (which are equivalent attack vectors), but I didn't find much about emails.
Note that in my case, the text is only sent per email, so I do not care about SQL-Injection or Cross-Site-Scripting (the email is sent as plain text). So what kind of filtering should I apply?
Thanks Martin
2 answers
solution1
0 2012-02-10 11:07:44
Since you are expecting only comments and suggestions, you can simply remove any characters other thant alphabets, numbers, and ".", ",". Even if it removes other characters it wouldn't matter to you, you would get to know what they mean. The "=" is the biggest enemy. But the set I described should keep you safe.
solution2
0 2012-02-10 11:14:11
Most important will be SPAM protection.
If you send email in HTML you should filter tags (strip_tags or htmlspecialchars) or validate user's HTML (HTMLPurifier http://htmlpurifier.org/ )
Limiting the length of the message also can be useful.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.