Protecting 'contact us' emailing forms

On 23.05.2007 15:58 Cheb wrote:

I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks.

google for "email injection", there are tons of infos.

Basically, don't use user input in email headers, or if you must, strip
all \r's and \n's.

I have
used mysql_escape_string() to remove any newlines in the headers but

mysql_escape_string has nothing to do with emails. Use string functions:
str_replace, preg_replace or similar.

Should I include MIME
content headers too? And should I be worried about HTML inclusion in
the body?

No, unless you're sending real multipart (e.g. text + html) mails.
If this is the case I'd suggest a professional mime package like
phpmailer, swift etc.

--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cheb wrote:

I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks. I have
used mysql_escape_string() to remove any newlines in the headers but
do I need to protect the message body too? Should I include MIME
content headers too? And should I be worried about HTML inclusion in
the body?

Do not use mysql_escape_string(). Ever. Use mysql_real_escape_string()
for SQL and other, more pertinent, string functions for email.

If you don't have any clue what you're doing, I strongly recommend you
use an external library like SwiftMailer <http://swiftmailer.org/>

- --
Edward Z. Yang GnuPG: 0x869C48DA
HTML Purifier <htmlpurifier.org Anti-XSS HTML Filter
[[ 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA ]]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGVLsIqTO+fYacSNoRAk0bAJ9Sioaq3vQvH38Q+pZN8D VCLvK2PQCggaeQ
gwSH6WYTRAZNzmfrXjXLNSM=
=jcLp
-----END PGP SIGNATURE-----

On Wed, 23 May 2007 17:11:16 +0200, gosha bine <st********@gmail.com>
wrote:

>On 23.05.2007 15:58 Cheb wrote:

>I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks.

google for "email injection", there are tons of infos.

Basically, don't use user input in email headers, or if you must, strip
all \r's and \n's.

I have
used mysql_escape_string() to remove any newlines in the headers but

mysql_escape_string has nothing to do with emails. Use string functions:
str_replace, preg_replace or similar.

>Should I include MIME
content headers too? And should I be worried about HTML inclusion in
the body?

No, unless you're sending real multipart (e.g. text + html) mails.
If this is the case I'd suggest a professional mime package like
phpmailer, swift etc.

Thanks for the suggestions - much appreciated.

I have developed a few database-oriented PHP sites (hence the bad
habit of using mysql_escape_string() to render user input from forms
'safe'), but I am self taught so I know I have plenty to learn. I
think for now I will go with yours and Edward's suggestion of Swift
and read-up on the techniques/pitfalls later when I come to write my
own module.

Thanks again
Chris R.

On Wed, 23 May 2007 18:07:04 -0400, "Edward Z. Yang"
<ed*********@thewritingpot.comwrote:

>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cheb wrote:

>I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks. I have
used mysql_escape_string() to remove any newlines in the headers but
do I need to protect the message body too? Should I include MIME
content headers too? And should I be worried about HTML inclusion in
the body?

Do not use mysql_escape_string(). Ever. Use mysql_real_escape_string()
for SQL and other, more pertinent, string functions for email.

Yes, I understand it is a bad habit I have developed from doing
MySQL-based sites. Can you explain in real terms why
mysql_real_escape_string() is better than mysql_escape_string()? I've
read the php.net description but would it necessarily cause problems
if the character set isn't taken into account?

>If you don't have any clue what you're doing, I strongly recommend you
use an external library like SwiftMailer <http://swiftmailer.org/>

I think that's a bit harsh - if I didn't have "any clue what I am
doing" then I wouldn't understand that there are serious issues with
email contact forms. I have read quite a few tutorials but got a bit
confused because so many articles have slightly different slants on
the issue so I thought it best to ask some experts here.

But thanks for the Swift link - I have downloaded it and will give it
a try. :o)

Thanks again
Chris R.

On 24.05.2007 14:15 Cheb wrote:

<...I
think for now I will go with yours and Edward's suggestion of Swift
and read-up on the techniques/pitfalls later when I come to write my
own module.

good choice, swift is an excellent piece of work and very easy to use.

swift support forum, moderated by its author is here
http://forums.devnetwork.net/viewforum.php?f=52
--
gosha bine

extended php parser ~ http://code.google.com/p/pihipi
blok ~ http://www.tagarga.com/blok