Full protection against post injection

Question

Full protection against post injection

Suppose we send trivial feedback and are going to make these fields dynamic:

Sender's name
email sender
Headline
message body

Will this PHP code be enough to protect us from all kinds of email injection?

  //sanitizing email address
if ($email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
  //encoding subj according to RFC and thus protecting it from all kinds of injections
  $subject = "=?UTF-8?B?".base64_encode($_POST['subject'])."?=";
  //encoding name for same reasons, and using sanitized email
  $from    = "From: =?UTF-8?B?".base64_encode($_POST['name'])."?= <$email>\r\n";
  //protecting body as it mentioned in http://php.net/mail
  $message = str_replace("\n.", "\n .", $_POST['text']);
  mail('me@example.com',$subject,$message,$from);
}

I'm currently playing with type names "some@email.com, other@email.com,", but it seems that all available email clients handle it correctly

+3

security php email spam prevention

Your common sense Mar 21 '11 at 15:56

source share

2 answers

Charles · Answer 1 · 2011-03-21T16:16:01+0000

Will this PHP code be enough to protect us from all kinds of email injection?

It looks pretty comprehensive as long as your email client supports the RFC 2047 encoding method that you use in the headers. (Some email clients do not recognize the encoding.)

, mail() , is_email, . .

yent · Answer 2 · 2011-03-21T16:14:59+0000

, rfc, , , " , ," foo\r\nTo: poor-guy@dom.tld\r\nTo: dummy "@foo.tld , :

Subject: foo
To: poor-guy@dom.tld
To: dummy"@foo.tld

...

Full protection against post injection

More articles: