Sanitizing user input that will later be e-mailed - what should I be worried about?
Posted
by Kevin Burke
on Stack Overflow
See other posts from Stack Overflow
or by Kevin Burke
Published on 2010-05-01T05:04:18Z
Indexed on
2010/05/01
5:07 UTC
Read the original article
Hit count: 330
I'm interning for an NGO in India (Seva Mandir, http://sevamandir.org) and trying to fix their broken "subscribe to newsletter" box. Because the staff isn't very sophisticated and our web host isn't great, I decided to send the relevant data to the publications person via mail() instead of storing it in a MySQL database.
I know that it's best to treat user input as malicious, and I've searched the SO forums for posts relevant to escaping user data for sending in a mail message. I know the data should be escaped; what should I be worried about and what's the best way to sanitize the input before emailing it?
Form flow:
1. User enters email on homepage and clicks Submit
2. User enters name, address, more information on second page (bad usability, I know, but my boss asked me to) and clicks "Submit"
3. Collect the data via $_POST and email it to the publications editor (and possibly send a confirmation to the subscriber).
I am going to sanitize the email in step 2 and the other data in step 3. I appreciate your help,
Kevin
© Stack Overflow or respective owner