PHPRO.ORG

While a lot of attention is paid to checking of email addresses to make sure they are compliant, many coders often overlook other avenues of exploiting thier scripts. One of the most common attacks comes from not adequately checking the subject, to, and from fields that are being sent. These fields need to be checked if the values are coming from user space. This little function will take a string, and return the string with any injection characters removed, thus allowing for safe use of the variables within a mail script.


<?php

/**
 *
 * @strip injection chars from email headers
 *
 * @param string $string
 *
 * return string
 *
 */
function safeEmail($string) {
     return  
preg_replace'((?:\n|\r|\t|%0A|%0D|%08|%09)+)i' ''$string );
}

/*** example usage ***/
$from "sender@example.com
Cc:victim@example.com"
;

if(
strlen($from) < 100)
{
    
$from safeEmail($from);
}

?>