Sanitizing user input that will later be e-mailed - what should I be worried about?

Posted by Kevin Burke on Stack Overflow See other posts from Stack Overflow or by Kevin Burke
Published on 2010-05-01T05:04:18Z Indexed on 2010/05/01 5:07 UTC
Read the original article Hit count: 330

Filed under:
|
|
|

I'm interning for an NGO in India (Seva Mandir, http://sevamandir.org) and trying to fix their broken "subscribe to newsletter" box. Because the staff isn't very sophisticated and our web host isn't great, I decided to send the relevant data to the publications person via mail() instead of storing it in a MySQL database.

I know that it's best to treat user input as malicious, and I've searched the SO forums for posts relevant to escaping user data for sending in a mail message. I know the data should be escaped; what should I be worried about and what's the best way to sanitize the input before emailing it?

Form flow:
1. User enters email on homepage and clicks Submit
2. User enters name, address, more information on second page (bad usability, I know, but my boss asked me to) and clicks "Submit"
3. Collect the data via $_POST and email it to the publications editor (and possibly send a confirmation to the subscriber).

I am going to sanitize the email in step 2 and the other data in step 3. I appreciate your help,
Kevin

© Stack Overflow or respective owner

Related posts about php

Related posts about email-validation