在mail（）中使用的转义字符串 [英] Escape string to use in mail()

问题描述

当您使用mysql时，您可以使用 mysqli_real_escape_string（），并检查接收到的输入类型是否是您期望的类型（字符串，数字等），您可以很确定你可以使用 mysqli_query（）中的输入安全地...对吗？

Sure thing, when using mysql you use mysqli_real_escape_string() and check that the type of input received is the kind you expect (string, number, etc) and you can be pretty sure you can use the input in an mysqli_query() quite securely... right?

嗯，问题是：

• 什么是最好的方式来转义一个字符串，它将在邮件中使用（）？


• 如果电子邮件收件人将是在文本框中输入的电子邮件地址，我应该小心避免注射或漏洞？ li>
  

• What is the best way to escape a string that it's going to be used in an mail()?
• If the email recipient will be the email address entered in a text fiel, what things I should be careful to avoid injections or exploits?

我有一个很好的主意，如何做到这一点，但我正在深入了解这个问题的最佳实践，知道我是否缺少一些东西或者有一个更好的方法。

I have a pretty good idea how to do this but I'm digging into best practices on this subject to know if I'm missing something or there's a better way.

编辑：这个问题的想法是没有答案，而是做一个全面的使用php进行电子邮件时所有需要处理的事情的协作列表。感谢大家帮助到目前为止。

The idea of this question is not to have THE answer but to make a comprehensive collaborative list of all the things to take care of when doing email with php. Thanks everyone with the help so far.

推荐答案

电子邮件注入背后的想法是攻击者在线电子邮件标题，所以他添加了他想要的标题。剥离这些换行将保护您免受此次攻击。有关详细信息，请查看 http://www.phpsecure.info/v2/article/ MailHeadersInject.en.php

The idea behind email-injection is that attacker inject line feed (LF) in the email headers and so he adds as many headers as he wants. Stripping those line feeds will protect you from this attack. For detailed info check http://www.phpsecure.info/v2/article/MailHeadersInject.en.php

最佳做法是依靠一个写得很好，经常更新和广泛使用的代码。为此，我建议使用 PEAR_MAIL 或 Zend_Mail

The best practice is to rely on a well-written, frequently updated and widely-used code. For that I would suggest using PEAR_MAIL OR Zend_Mail

如果您不想加载这些模块，或者您需要保持事情非常简单。您可以从这些模块中提取过滤功能。虽然我建议使用它们，并经常更新库，以便如果将来出现新的攻击，您将只需要更新您的库（Pear或Zend）并完成。

If you don't want to load those modules or you need to keep things very simple. You can extract the filtering functionality from those modules. Although I do recommend to use them and frequently update the library so that if new attack appears in future you will just need to update your library (Pear or Zend) and you are done.

这是在Pear Mail软件包中清理标题的功能：

This is the function that sanitize headers in Pear Mail package:

function _sanitizeHeaders(&$headers)
{
    foreach ($headers as $key => $value) {
        $headers[$key] =
            preg_replace('=((<CR>|<LF>|0x0A/%0A|0x0D/%0D|\\n|\\r)\S).*=i',
                         null, $value);
    }
}

Zend_Mail对电子邮件，名称和其他字段使用不同的过滤器：

Zend_Mail uses different filter for email,name and other fields:

function _filterEmail($email)
{
    $rule = array("\r" => '',
                  "\n" => '',
                  "\t" => '',
                  '"'  => '',
                  ','  => '',
                  '<'  => '',
                  '>'  => '',
    );

    return strtr($email, $rule);
}

function _filterName($name)
{
    $rule = array("\r" => '',
                  "\n" => '',
                  "\t" => '',
                  '"'  => "'",
                  '<'  => '[',
                  '>'  => ']',
    );

    return trim(strtr($name, $rule));
}

function _filterOther($data)
{
    $rule = array("\r" => '',
                  "\n" => '',
                  "\t" => '',
    );

    return strtr($data, $rule);
}

这篇关于在mail（）中使用的转义字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！