I have not been able to find an answer to this specific question. All searches end up with superficial overviews of the PHP mail()
function in general, and if they refer to security concerns then almost always they only discuss protecting against header injection in the to
or headers
fields.
I have a contact form which only uses the message
field for user data, and want to confirm that there are no security implications in passing user data into that field.
This Ripstech blog post is the only one I have found which discusses each field for the mail()
function. It appears to confirm that user data can be freely passed to the message
field.
Carefully analyze the arguments of each call to mail() in your application for the following conditions:
- Argument (to): Unless intended, no user input is used directly
- Argument (subject): Safe to use
- Argument (message): Safe to use
- Argument (headers): All \r and \n characters are stripped
- Argument (parameters): No user input is used
Is there anything that I have missed?