Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I understand about mysql_real_escape_string and such, But what about when i am just sending an email?
So I have form, and a textbox, is there any vulnerabilities in just directly emailing the $_POST data to a user? I guess they wouldnt be able to execute any PHP.. or can they if they run it from a web address? I am not sure.
If it is being sent directly to an email then it will be fine. If it is being stored in a database to be displayed on an administrator page such as a helpdesk, etc. then it will need to be escaped for both html output and mysql. You can escape mysql using a number of functions:
http://php.net/manual/en/pdo.prepare.php
http://php.net/manual/en/mysqli.real-escape-string.php
That said because Emails can contain HTML, if you don’t want to receive emails that people have put bogus HTML in such as
<blink>(Which is really annoying) then you can usehtmlspecialchars(): http://php.net/manual/en/function.htmlspecialchars.phpIf you are worried about Javascript in emails then using
htmlspecialchars()noted above will escape this also.