Screening user input with regards to sending email
I am writing a module that will collect some information from a user and then send an email based on that input. This needs to be publicly available to the internet, so scrubbing user input is important in this case. In the past I have used something like this to sanitize user input from things like injection that would send spam through the form:
//Adds slashes and removes HTML tags from text that we accept from the end user.
function clean_data( $Str )
{
$Str = strip_tags( $Str );
$Str = addslashes( $Str );
return $Str;
}
//defang_urlencoding stops people from doing things like injecting URL encoded line breaks
//into a variable that normally would get set in the SMTP header. It also removes line
//breaks. Line breaks should never be allowed in the SMTP header.
function defang_urlencoding( $str )
{
$remove = array( "\r", "\n" );
$str = str_replace( $remove, "", urldecode( $str ) );
//With the string URL decoded, and the new lines removed, we now hand it off to the
//clean_data function.
return clean_data( $str );
}That on top of the very good job that PHPMailer does to protect what goes where in the message, I can keep the form pretty sane. I am probably going to reuse these simple functions, however since I am relatively new to module development, I thought I would ask if I am basically recreating functionality that already exists in Drupal.
Thoughts and opinions? The code above is specifically to help work around the fact that PHP's mail() function is really bad at preventing injected strings from altering to TO: or CC: of the final mail message. If someone wanted to see some examples I can post them, but I assume most people can get the concept.
I should add that part of
I should add that part of the reasoning behind this is that the form collects the users email address and a small message that goes into the mail body. This of course is where the injection occurs if left unchecked.
anyone?
anyone?
Anyone?
Anyone?