PHP form writing to database (PDO) then sends data as email

ukphp

Hi all,

I've got a form which accepts user input. That data is then written to a MySQL database using a PDO prepared statement and then the same data is sent in an email to 1 specific email address.

My question is do I need to sanitize the data still even though it's going through a PDO prepared statement?

Does user inputted data need to be sanitized for sending via email?

Currently I'm running user inputted data through the function FILTER_SANITIZE_STRING however when the person receives the email it has the ASCII value instead of quotation marks for example. Therefore, do I need to just run everything through htmlspecialchars_decode and stripcslashes just for sending the email after the data has been inserted into the database?

bradgrafelman

ukphp;11032661 wrote:
My question is do I need to sanitize the data still even though it's going through a PDO prepared statement?

No, because using prepared statements with bound parameters allows the SQL driver to take care of doing the necessary escaping. Now, if you're throwing user-supplied data directly into the prepared statement without binding them to parameters instead, that would be a different story.

ukphp;11032661 wrote:
Does user inputted data need to be sanitized for sending via email?

Perhaps. Are you sending an HTML message and, if so, do you want to allow the user to inject whatever HTML markup (s)he desires? Are you using any user-supplied data in the header of the e-mail?

ukphp;11032661 wrote:
Currently I'm running user inputted data through the function FILTER_SANITIZE_STRING

Why? What led you to decide that filter was best for... whatever it is you're protecting against? (Speaking of that... for what purpose are you sanitizing the data using that filter?)

ukphp;11032661 wrote:
however when the person receives the email it has the ASCII value instead of quotation marks for example.

In other words, the FILTER_SANITIZE_STRING filter did its job.

ukphp;11032661 wrote:
Therefore, do I need to just run everything through htmlspecialchars_decode and stripcslashes just for sending the email after the data has been inserted into the database?

You should never need to be stripping any slashes. As for the HTML entities issue, you can either: 1) send the message as an HTML formatted message, allowing the user's e-mail client to decode the HTML entities, or 2) stop converting the characters into HTML entities in the first place (in other words, stop using FILTER_SANITIZIE_STRING and instead do something more appropriate).

ukphp

Hi bradgrafelman,

Thank you very much for the advise 🙂

I see, so it sounds like where I'm going wrong it using FILTER_SANITIZE_STRING. Probably best I show the code I have just to ensure that I'm correctly doing it. Please see bits of my code below.

Prepared statement

$stmt = $dbc->prepare("INSERT INTO my_form(name, email, url, comment) VALUES (:name, :email, :url, :comment)");

$insert = array(
	':name' 		=> $name,
	':email' 		=> $email,
	':url'			=> $url,
	':comment'	=> $comment
);

$stmt->execute($insert);

Email which is sending HTML.
Only user inputted field which is in the header is $email. Guessing that should be ran through FILTER_SANITIZE_EMAIL ? Mainly just want to allow sing and double quotes and block out anything harmful such as any JavaScript they're trying to put into links etc.

$to = 'me@myemail.com';
$message = '
<html>
	<body>
		<p><strong>Name</strong><br />'. $name .'</p>
		<p><strong>Email address</strong><br />'. $email .'</p>
		<p><strong>Web address</strong><br />'. $url .'</p>
		<p><strong>Comments</strong><br />'. $comment .'</p>

<body>
</html>
';

$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'From: My Form <myform@myemail.com>' . "\r\n";
$headers .= 'Reply-To: '.$email. "\r\n" ;
$headers .= 'X-Mailer: PHP/' . phpversion();

$mail_sent = mail( $to, $subject, $message, $headers );