How to sanitze user input in PHP before mailing?

php security email sanitize
Matt Hampel picture Matt Hampel · Jun 28, 2009 · Viewed 33.6k times · Source

I have a simple PHP mailer script that takes values from a form submitted via POST and mails them to me:

<?php
$to = "[email protected]";

$name = $_POST['name'];
$message = $_POST['message'];
$email = $_POST['email'];

$body  =  "Person $name submitted a message: $message";
$subject = "A message has been submitted";

$headers = 'From: ' . $email;

mail($to, $subject, $body, $headers);

header("Location: http://example.com/thanks");
?>

How can I sanitize the input?

Answer

Haim Evgi picture Haim Evgi · Jun 28, 2009

Sanitize the post variable with filter_var().

Example here. Like:

echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

Related questions

Obfuscate X-Php-Originating-Script

If there is no access to php.ini (assume php -v >= 5.3 & mail.add_x_header = 1), or a way to patch mail, is there a way to change the X-Php-Originating-Script header when using php's mail() function? The little research …

Read More
How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More