when does malicious code activate?

happyme

I'm taking the input from a form and using it to send a message to me by email

I realise this gives users the opportunity to sneak scripts etc in, so I want to strip out all tags, using strip_tags

The problem is, I'm not sure when to use it. My code appears to work, but then I'm not entering malicious tags, so I don't know how safe it is.

The 'send to' email address comes from the form as a hidden variable which gets renamed and stripped of tags, and the body is created like this:

// fill email body with all data returned from the form
while( list($k, $v) = each($HTTP_POST_VARS) )
{

//create message from post data, stripping tags 
//and  missing out the submit bit

$safeV = strip_tags($v);

if ($k!="submit"){$msg .= '<p>$k: $safeV</p>';}

}

Will this protect me?

Julia

happyme

typo in script, but my question still stands -

if ($k!="submit"){$msg .= "<p> $k: $safeV </p>";}

oops!

Julia

Norman_Graham

Hi Julia

If the string you want to clean up is going into an e-mail, it might contain a URL that you want to see, or perhaps something else that you might not want to destroy.

The PHP function for making scripts inoperable is htmlspecialchars(), which escapes HTML tagging (and would therefore also kill JS) without removing the content. Try it in an HTML form with, say, a comments field. If some joker puts in an objectionable anchor, e.g. <a href="http://www.videonasties.com">Check this out!</a>, the anchor will appear as plain text and will not be clickable, but you can still see what the miscreant was up to.

HTH

Norm