Richard Lynch wrote: > Though I confess, I'm sometimes at a loss how to properly escape > certain data for certain situations... > > Here's an example: > Take the Subject of an email. > > Sure, I've sanitized it to be sure there are no newlines for header > injection. > > But now how do I properly escape it to be sure it's a kosher email > subject? > > Where's the PHP function smtp_escape()? Some contexts don't require/support escaping. It's a bummer in the sense that it places more responsibility on your filtering, but that's about it. In several cases, ctype_print() can be used as a nice defense in depth mechanism to make sure there are no newlines or carriage returns (or anything else that isn't printable). > I'm looking for a guide, a chart, a grid, an organized systemic > documentation of what data should be escaped how as it travels > through the "glue" that is PHP... That's a great idea. Want to write it? :-) I'd be happy to help. Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php