Hello,
on 07/20/2007 06:03 PM Richard Lynch said the following:
> So, I'm trying to be more consistent about escaping my output.
>
> I do something like this (only prettier):
>
> if (!isset($_REQUEST['blah_id'])) error_out("Bad blah_id input");
> $blah_id = (int) $_REQUEST['blah_id'];
> $blah_id_sql = mysql_real_escape_string($blah_id, $connection);
> $query = "select title from blah where blah_id = $blah_id_sql";
> $blah = mysql_query($query, $connection) or die("DB Error");
> list($title) = mysql_fetch_row($blah);
> $title_html = htmlentities($title);
> $title_email = SOME_FUNCTION_HERE($title);
>
> What function should be used to escape output to make it 100% kosher
> for an email Subject and/or Body, in a plain-text email?
>
> The original title came from the outside world, had
> mysql_real_escape_string() applied to it, and was crammed into the DB.
>
> It could have ANY kind of malicious text in it.
>
> We do NOT send (and will NEVER send) HTML enhanced (cough, cough) emails.
>
> For simplicity sake, I'd probably be happy with a more restrictive
> function that covered both Subject and Body in this instance.
Message headers should be encoded with q-encoding, which is a variant of
quoted-printable that includes character set information.
This is a bit complicated (too many RFCs to read) but you can use this
MIME message composing class to encode your message headers properly.
This class also escapes properly line breaks in headers. Malicious line
breaks are used by spammers to attack form mail like scripts. They
inject line breaks to insert new headers to the message that can make
the messages be sent to other addresses.
http://www.phpclasses.org/mimemessage
--
Regards,
Manuel Lemos
Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
