Form Field Check / Escape Characters

ratlhead

Hey all,

I've provided a form for a client of the company I work for that basically emails the form data to an email address. Only a couple of the many fields are required...nothing too fancy.

However, the sys admin has made the following request:

"All fields, not just the required fields, need validation for syntax, shell escape characters and string length. This is a security issue."

On no site have I ever had to deal with this being a "security issuue"... I mean, is having escape characters in a form field really a big deal? Or having an empty form field? At most, they get put into a variable that's then sent in an email.

If I need to check for escape characters, what's the best way to approach doing so? Thanks y'all!

-Mike

scoppc

Take a look at .this

ratlhead

Originally posted by scoppc
Take a look at .this

Hey scoppc, thanks for the help. Question though... That user is putting stuff into a database, so I can see why this may be a concern. However, is this really necessary for a plain text email that's being sent out. Do I really need to be concerned about the form being hacked in some way?

scoppc

I personally will try to secure anything I can. I am just someone who prefer to "play safe".
Anyway, unless you are using exec(), I dont think you need to check for shell escape characters Am I right?

Syntax like HTML tags? umm... this should be filtered out if you want to have a plain-text email send to you.

Length is critical for me since I dont wanna receive 10000000 words that say "asdfasdfasd" 🙂

Weedpacket

Originally posted by scoppc
Syntax like HTML tags? umm... this should be filtered out if you want to have a plain-text email send to you.

Tags like <script>...</script>? What would happen if someone typed a Javascript program in and it got inserted into an HTML email without being properly checked or escaped?
Another case of insufficient paranoia.

scoppc

Weedpacket pointed out something real important. In fact, I did use strip_tags() to "wash" all the input.. 🙂
Just expect the unexpected.

ratlhead

Thanks for all the responses guys...

I still don't see the point in filtering out alot of this stuff for a plain text email. I can't think a plain text email with some bad stuff in it would be that easy to create through an unprotected form that goes and does something bad to someone's computer.

With the examples of the database stuff and even an html email, I can see where this stuff would be a concern. But can anyone give a good reason to be concerned with a plain text email?