[RESOLVED] email protection

robkir

I've been reading trying to get a handle on how best to protect my database from malicious idiots who want to send poisoned email addresses. I am somewhat concerned that I just haven't read the right articles.

Is this code enough to protect the database?

   if($_POST['coachEmail_ud'])
    {
    $transfer= protect($_POST['coachEmail_ud']); // load email from input    

     if(!filter_var($transfer, FILTER_VALIDATE_EMAIL)) 
      { 
      $error['coachEmail_ud']="$alert Recheck email";

  } 
  else  { 
          $coachEmail = $transfer;
        }

   }

The function 'protect' offers the following:

function protect($string){
    $string = mysql_real_escape_string($string);

return $string;
}

I'd appreciate any advice you may have.

dagon

you should run mysql_real_escape_string() after, not before you check that its a valid email.

Pikachu2000

What do you mean by 'poisoned' email addresses? What are you doing with them, using them to send reply emails, or placing them in a database, or . . . other? The way you intend to use the data should dictate the steps you take to sanitize it.

robkir

dagon;10965341 wrote:
you should run mysql_real_escape_string() after, not before you check that its a valid email.

Thanks Dagon. I can do that. I assume you also feel that my method of handling email is "security sufficient"?

Thanks

robkir

In this particular instance, Pikachu, the user enters their email into a form, which is then available to administrators to contact individuals. The concern is somebody sneaks in some nasty code into the database via the email input field. I guess my problem is that I don't really understand what kind of attacks one can expect, nor was I able to find a definitive tutorial that clearly explained how to protect oneself. Sure, there are lots of code examples, but nothing jumped out at me.

bradgrafelman

If it's strictly SQL injection attacks you're worried about, then using something like [man]mysql_real_escape_string/man (for string inputs) is sufficient. Anything beyond that has nothing to do with the DB and more to do with verifying that the actual data itself is valid (e.g. the string actually looks like a valid e-mail address).

Pikachu2000

OK, for insert into a database, you should be good to go. As Dagon said, run it through mysql_real_escape_string() last, after validation, etc.

robkir

Hi bradgrafelman,

I do check all incoming data with mysql_real_escape_string.

Thanks for the input.

robkir

Thanks Pikachu--that's one less thing to worry about.