How Carefully Do I Need To Filter Form Data Being Sent To An Email Address?

[HartleySan]

I have a form whose data is sent to an email address via the PHP mail() function. Obviously, when data is going into a database, the data needs to be carefully filtered using regexes, mysqli_real_escape_string, etc., but for data being sent to an email address, none of that seems essential.

 

If anything, a decent spam filter that stops bots seems sufficient. And to that end, does anyone have any good advice on how to handle potential bots, etc.?

 

Anyway, my main question is this: To what level should I be filtering form data being sent to an email address?

 

Thank you.

[Jonathon]

I would think that as long as you stop the potential to abuse bcc,cc ect you should be fine. Basically the scrubber in Larry's book. It would be hard to do anything else regarding the actual input in my opinion.

[HartleySan]

He has an email scrubber function in the PHP 6 & MySQL 5 book? I didn't even know. Thanks.

[Jonathon]

Yeah, I use it all the time.

[Lou]

Can't you just put a regular expression in a variable and check each input for that?

 

$naughty = '/Content-Type:|Bcc:|Cc:/i';
//when checking user input
if (preg_match($naughty, $user_input)){
error['input_name'] = 'Naughty...';
} else {
$input = true;
}

[HartleySan]

Certainly, a regex would work here. Good call, Lou. And I just looked at Larry's scrubber function last night, and it's essentially what you suggested, Lou, in non-regex form.