By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,287 Members | 1,582 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,287 IT Pros & Developers. It's quick & easy.

[Q] mail() & security

P: n/a
One of the first rules of doing web development is to never trust user
input.

So, my question is how this may affect the usage of the mail() function
within PHP.

Obviously, one can (fairly easily) verify that what one is passing in
the TO parameter is a valid e-mail address.

What is recommended with respect to the subject & message parameters?

One potentially good function to run them through is strip_tags.
Jul 17 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Eric <eg******@verizon.net> wrote:
Obviously, one can (fairly easily) verify that what one is passing in
the TO parameter is a valid e-mail address.
_A_ valid email address, but is _the_ correct address?
What is recommended with respect to the subject & message parameters?
So you let a mail script accept the to, subject and message body? You
just described described a spam relay.

If you are using this for a feedback form this is not the way to go, to
and subject should be fixed. The body shouldn't be send to the user
entering the data, you a plain confirmation that the message was
received.
One potentially good function to run them through is strip_tags.


What would that accomplish? A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).

Jul 17 '05 #2

P: n/a
Daniel Tryba <pa**********@invalid.tryba.nl> wrote:
One potentially good function to run them through is strip_tags.
What would that accomplish?


The removal of various destructive things which one could bury in a tag
which would then be interpreted by an e-mail application capable of
rendering HTML. For example, an img tag which could result in the
downloading of unwanted images.

Seems like a good idea, but you seem to feel it would be pointless? Why?
A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).


So, then, if you wanted to allow a user to enter some text into the body
of a message, what would you do to protect the recipient of that
message?
Jul 17 '05 #3

P: n/a
Eric <eg******@verizon.net> wrote:
> One potentially good function to run them through is strip_tags.


What would that accomplish?


The removal of various destructive things which one could bury in a tag
which would then be interpreted by an e-mail application capable of
rendering HTML. For example, an img tag which could result in the
downloading of unwanted images.

Seems like a good idea, but you seem to feel it would be pointless? Why?


My MUA already provides this protection and AFAIK any decend MUA does
that. Added bonus is that I can still tell it not to "protect me", and
thus show the images when I want it to.
A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).


So, then, if you wanted to allow a user to enter some text into the body
of a message, what would you do to protect the recipient of that
message?


Advise them a decent MUA, and fitler out html messages. My smapfilter is
trained to tag htmlonly mail as spam (except when explicitly
whitelisted), shows text/plain by default and
will not fetch external links by default.

Jul 17 '05 #4

P: n/a
Daniel Tryba <pa**********@invalid.tryba.nl> wrote:
Eric <eg******@verizon.net> wrote:
> One potentially good function to run them through is strip_tags.

What would that accomplish?


The removal of various destructive things which one could bury in a tag
which would then be interpreted by an e-mail application capable of
rendering HTML. For example, an img tag which could result in the
downloading of unwanted images.

Seems like a good idea, but you seem to feel it would be pointless? Why?


My MUA already provides this protection and AFAIK any decend MUA does
that. Added bonus is that I can still tell it not to "protect me", and
thus show the images when I want it to.
A good MUA shouldn't trust the content of any
mail (unless the users tells it to ofcourse).


So, then, if you wanted to allow a user to enter some text into the body
of a message, what would you do to protect the recipient of that
message?


Advise them a decent MUA, and fitler out html messages. My smapfilter is
trained to tag htmlonly mail as spam (except when explicitly
whitelisted), shows text/plain by default and
will not fetch external links by default.


Unfortunately, your latest comments are clearly entirely irrelevant to
the discussion which is what useful things can be done to process text
sent to the body and subject parameters of the mail() function to
prevent anything annoying/destructive from being sent to the recipient.

If you have any comments related to the topic of this thread, please let
me know.

For those who may be interested, in a simultaneous discussion which took
place elsewhere, one other option was presents which would be to run the
text through the htmlentities function.

Like strip_tags, this would prevent any annoying/destructive html from
being rendered and have the addition benefit of knowing whether or not
someone attempted to send something that was annoying/destructive.

However, I, personally, will likely stick with strip_tags. Although,
this function could remove useful text, it would also not force the
recipient to try to parse something not particularly human readable.

It would seem the sending of things that strip_tags or htmlentities
would stop is the only thing that one would need to be concerned with.
Jul 17 '05 #5

P: n/a
Eric <eg******@verizon.net> wrote:
If you have any comments related to the topic of this thread, please let
me know.
My comments should be read as: don't send text/html.

All below is unnecessary when the "html" is send as text/plain.
For those who may be interested, in a simultaneous discussion which took
place elsewhere, one other option was presents which would be to run the
text through the htmlentities function.

[snip]

BTW sending html in text/plain scores extra points in spam filters.

Jul 17 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.