[ACCEPTED]-How to sanitze user input in PHP before mailing?-sanitize

Accepted answer
Score: 53

Sanitize the post variable with filter_var().

Example here. Like:

echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);   


Score: 13

Since you're not building an SQL query or 9 anything here, the only relevant validation 8 that I can see for those inputs is an email 7 validation for $_POST["email"], and 6 maybe an alphanumeric filter on the other 5 fields if you really want to limit the scope 4 of what the message can contain.

To filter 3 the email address, simply use filter_var:

$email = filter_var($email, FILTER_SANITIZE_EMAIL);

As per Frank 2 Farmer's suggestion, you can also filter 1 out newlines in the email subject:

$subject = str_replace(array("\r","\n"),array(" "," "),$subject);
Score: 5

As others have noted, filter_var is great. If it's 11 not available, add this to your toolchest.

The 10 $headers variable is particularly bad security-wise. It 9 can be appended to and cause spoofed headers 8 to be added. This post called Email Injection discusses 7 it pretty well.

filter_var is great, but another way 6 to assure that something is an email address 5 and not something bad is to use an isMail() function. Here's 4 one:

function isEmail($email) {
    return preg_match('|^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]{2,})+$|i', $email);

So to use this, you could do:

if (isset($_POST['email']) && isEmail($_POST['email'])) {
    $email = $_POST['email'] ;
} else {
    // you could halt execution here, set $email to a default email address
    // display an error, redirect, or some combination here,

In terms 3 of manual validation, limiting the length 2 using substr(), running strip_tags() and otherwise limiting 1 what can be put in.

Score: 4

You need to remove any newlines from input 6 provided by users in $headers, which gets 5 passed to mail() ($email in your case)! See 4 Email injection.

PHP should take care of sanitizing $to 3 and $subject, but there are versions of 2 PHP with bugs (Affected are PHP 4 <= 4.4.6 1 and PHP 5 <= 5.2.1, see MOPB-34-2007).

Score: 1

You can use the code from artlung's answer above 9 to validate email..

I use this kind of code 8 to prevent header injection ..

// define some mail() header's parts and commonly used spam code to filter using preg_match
$match = "/(from\:|to\:|bcc\:|cc\:|content\-type\:|mime\-version\:|subject\:|x\-mailer\:|reply\-to\:|\%0a|\%0b)/i";

// check if any field's value containing the one or more of the code above
if (preg_match($match, $name) || preg_match( $match, $message) || preg_match( $match, $email)) {

// I use ajax, so I call the string below and send it to js file to check whether the email is failed to send or not
echo "failed";

// If you are not using ajax, then you can redirect it with php header function i.e: header("Location: http://example.com/anypage/");

// stop the script before it reach or executing the mail function


The mail()'s header 7 filtering above is too strict, since some 6 users may be using the filtered strings 5 in their message without any intention to 4 hijack your email form, so redirect it to 3 a page that is explaining what kind of strings 2 that is not allowed in the form or explain 1 it on your form page.

More Related questions