View Full Version : validation

07-30-2007, 02:45 AM

I am receiving some post data; name, telephone number and address and i just wondered what sort of validation i should do before i send it to an email address. I have put an is_numeric function in for the telephone number but other than that I can't think

07-30-2007, 04:20 AM
htmlspecialchars() will stop javascript and VBscripts, you should probably pass everything through that.

Another worry is email-header injection where your form is altered to send emails to other address's as well as the original, how likely this is to happen depends on where the data used in 'To/recipient' comes from, same for other email headers, google for more info on this.

07-30-2007, 04:22 AM
Address validation is a multi-gazillion dollar industry (i.e. group 1 (http://www.g1.com/Solutions/Business/Global-Address-Cleansing/) and the like) but you probably just want to make sure the field's not empty, unless having a valid address is critical to the success of your business.

You want to make sure the phone number is the right number of digits and trim out any ('s )'s or -'s they enter (just store the numbers).

Name validation is about the same as address validation; just making sure the field isn't empty is about all you can reasonably do unless you get into that multi-gazillion dollar industry again.

07-30-2007, 10:05 AM
OK that all sounds reasonable, thank you!

07-30-2007, 06:49 PM
No , you really need to google for email-header injection e.g. if the user can pass an email address and you only check if it is not empty it is then possible for a spammer to pass multiple recipients via that field ,

e.g. someone might pass an email address such as .. (example from http://www.securephpwiki.com/index.php/Email_Injection)

sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooop s.xxx

07-31-2007, 02:46 AM
Hi thanks for your comments

Fire pages the script actually will only ever send the email to the mail server, which will be records for the staff at Southern Bridges. Therefore the to string is predefined. However the telephone number, address and name will make up the subject and body part. As for the header string should I leave that out or should just use a predefined string?

I presume theres no worry of injections through the subject and body part of the script?

07-31-2007, 04:48 AM
There is still the possibility of injecting through the subject field since that is sent directly to the mailserver as an email header

my subject%0ATo: recipient@someothersite.xxx

The body should be safe from injection code since it is sent after the email headers ..still worth checking for other <script> exploits though.