1

I have not been able to find an answer to this specific question. All searches end up with superficial overviews of the PHP mail() function in general, and if they refer to security concerns then almost always they only discuss protecting against header injection in the to or headers fields.

I have a contact form which only uses the message field for user data, and want to confirm that there are no security implications in passing user data into that field.

This Ripstech blog post is the only one I have found which discusses each field for the mail() function. It appears to confirm that user data can be freely passed to the message field.

Carefully analyze the arguments of each call to mail() in your application for the following conditions:

  • Argument (to): Unless intended, no user input is used directly
  • Argument (subject): Safe to use
  • Argument (message): Safe to use
  • Argument (headers): All \r and \n characters are stripped
  • Argument (parameters): No user input is used

Is there anything that I have missed?

Nicolas
  • 402
  • 3
  • 11
  • Have you read this? Seems pretty similar: https://stackoverflow.com/questions/16059563/quoting-escaping-variables-in-mail-body – Don't Panic Jul 20 '18 at 22:53
  • @dont-panic No, I have not. That is exactly my question: Do I have to take precautions with the email body or not, and please back up your answer! Obviously my search technique is lacking... Thank you very much, and this question can be marked duplicate. – Nicolas Jul 20 '18 at 23:06
  • You're welcome. I didn't close it as duplicate initially because I don't feel like I'm enough of a mail expert to evaluate the answer there, although it seemed reasonable, but since it works for you I'll go ahead. – Don't Panic Jul 20 '18 at 23:09

0 Answers0