Checking the 'message' parameter of the mail function

**C.Schneck** · Jul 17 '05, 07:24 AM

Re: Checking the 'message' parameter of the mail function

I would usually make my own function to remove any potentially harmful text
like html characters before including it in an email message. Sterlizing
user input is most always a necessity.

"Eric" <egusenet@veriz on.net> wrote in message
news:1ghca1j.1m 4i6r81wy2qdcN%e gusenet@verizon .net...[color=blue]
> I would imagine it is a fairly common situation for a site to allow the
> user to enter some text into a field and then to have that text passed
> to the 'message' parameter of the mail function
> (http://us4.php.net/manual/en/function.mail.php).
>
> Is it a good idea to pass this text through some other function first or
> can it be sent through as is? Is this a case where the maxim 'do not
> trust input from the user' does not apply?[/color]

**Eric** · Jul 17 '05, 07:24 AM

Re: Checking the 'message' parameter of the mail function

C.Schneck <chris@nisa.com > wrote:
[color=blue]
> "Eric" <egusenet@veriz on.net> wrote in message
> news:1ghca1j.1m 4i6r81wy2qdcN%e gusenet@verizon .net...[color=green]
> > I would imagine it is a fairly common situation for a site to allow the
> > user to enter some text into a field and then to have that text passed
> > to the 'message' parameter of the mail function
> > (http://us4.php.net/manual/en/function.mail.php).
> >
> > Is it a good idea to pass this text through some other function first or
> > can it be sent through as is? Is this a case where the maxim 'do not
> > trust input from the user' does not apply?[/color]
>
> I would usually make my own function to remove any potentially harmful text
> like html characters before including it in an email message. Sterlizing
> user input is most always a necessity.[/color]

Surely such functions must exist in great abundance...do you happen to
have one hanging around somewhere?

**C.Schneck** · Jul 17 '05, 07:25 AM

Re: Checking the 'message' parameter of the mail function

i post this one a lot, htmlspecialchar s() its really handy.

also depending on your php configuration addslashed() is another one you
could consider.

"Eric" <egusenet@veriz on.net> wrote in message
news:1ghdfs6.tw yiyg12dpkgkN%eg usenet@verizon. net...[color=blue]
> C.Schneck <chris@nisa.com > wrote:
>[color=green]
> > "Eric" <egusenet@veriz on.net> wrote in message
> > news:1ghca1j.1m 4i6r81wy2qdcN%e gusenet@verizon .net...[color=darkred]
> > > I would imagine it is a fairly common situation for a site to allow[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > user to enter some text into a field and then to have that text passed
> > > to the 'message' parameter of the mail function
> > > (http://us4.php.net/manual/en/function.mail.php).
> > >
> > > Is it a good idea to pass this text through some other function first[/color][/color][/color]
or[color=blue][color=green][color=darkred]
> > > can it be sent through as is? Is this a case where the maxim 'do not
> > > trust input from the user' does not apply?[/color]
> >
> > I would usually make my own function to remove any potentially harmful[/color][/color]
text[color=blue][color=green]
> > like html characters before including it in an email message. Sterlizing
> > user input is most always a necessity.[/color]
>
> Surely such functions must exist in great abundance...do you happen to
> have one hanging around somewhere?
>[/color]

Checking the 'message' parameter of the mail function

Checking the 'message' parameter of the mail function

Comment

Comment

Comment