Made a small contact form on php, it gets $_POST variables and mails to me.
<form action="/myscript.php" method="post">
Small piece of code:
$subject = trim($_POST['subject']);
$comment = trim($_POST['comment']);
mail($email, $subject, $comment, $headers);
$email is mine mail address, $headers are usual.
There is no filtration for subject and comment. Can it be a potential security hole to my site?
My mail is placed on gmail.com. Can unfiltered mail from my site hurt me, when I open gmail interface in browser?
How should I filter all the variables? Maybe I wish echo some of them on my site, after sending an email. (like ‘Thanks, %name% !’)
No, it’s not that dangerous. Gmail doesn’t trust the e-mails you receive, otherwise every spammer would be able to compromise you.
However, it’s a good practice to, at least, check if the variables exist and if their length doesn’t exceed the maximum.
EDIT It’s possible that old versions of PHP were vulnerable to e-mail injection attacks, as described here. It would not compromise your site and your e-mail client should be able to handle malicious e-mails safely, but could potentially turn you into a spam relay.
New versions do not exhibit this vulnerability, because all the control characters (those below 0x20) are sanitized. You can do the same sanitation like this: