On Wed, 23 May 2007 18:07:04 -0400, "Edward Z. Yang"
<ed*********@thewritingpot.comwrote:
>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cheb wrote:
>I am writing a simple 'contact us' email form and I am aware I should
protect it from code injection and malicious email hijacks. I have
used mysql_escape_string() to remove any newlines in the headers but
do I need to protect the message body too? Should I include MIME
content headers too? And should I be worried about HTML inclusion in
the body?
Do not use mysql_escape_string(). Ever. Use mysql_real_escape_string()
for SQL and other, more pertinent, string functions for email.
Yes, I understand it is a bad habit I have developed from doing
MySQL-based sites. Can you explain in real terms why
mysql_real_escape_string() is better than mysql_escape_string()? I've
read the php.net description but would it necessarily cause problems
if the character set isn't taken into account?
>If you don't have any clue what you're doing, I strongly recommend you
use an external library like SwiftMailer <http://swiftmailer.org/>
I think that's a bit harsh - if I didn't have "any clue what I am
doing" then I wouldn't understand that there are serious issues with
email contact forms. I have read quite a few tutorials but got a bit
confused because so many articles have slightly different slants on
the issue so I thought it best to ask some experts here.
But thanks for the Swift link - I have downloaded it and will give it
a try. :o)
Thanks again
Chris R.