Re: How do I go about validating a e-mail message field?

lol, sorry but i may have been a bit vague on my topic / message. This is certainly not for spam and all e-mail addresses are pulled from a database which to enter it uses Email::Valid.

What my problem is that I need to validate only the "text message" field parameter thats passed to CGI.pm.

This input field value from the html form will then be put in a email message using NE:T:SMTP to send out (WINDOWS).

The message may also be stored in a database which is why I'm a bit concerned on how to exactly "taint / validate it"

Cheers, DJ

Comment on Re: How do I go about validating a e-mail message field?

Replies are listed 'Best First'.
Re^2: How do I go about validating a e-mail message field? by graff (Chancellor) on Sep 21, 2006 at 12:29 UTC
If the data submitted as the text message content is never handled in a way that causes some process to "interpret" it, then taint checking is a moot point. So, you can insert the content into a database field, if the SQL insert is done like this: `my $sth = $dbh->prepare("insert into my_table (mail_text,sender,recip) + values (?,?,?)"); $sth->execute( $message_text, $from, $to );` [download] (updated the snippet so it makes a little more sense) That's the easy way of avoiding an "SQL injection attack" -- the use of the "?" placeholder will cause DBI to pass the text content to the database safely without further ado. As for actually sending the email, there's Mail::Send and others that implement the sending of mail as a matter of printing the text to a file handle, avoiding any possibility that your mail server might misinterpret the text as executable commands or whatever. (Update: I've never used Net::SMTP... it looks pretty low-level, and you might need to watch for things like lines of text that start with "From " -- I don't know.) As for what might happen to the email recipient, that's another matter... Maybe you're just dealing with "trusted" users who won't be doing stupid or hazardous things like pasting in arbitrary binary data, viral attachments, etc. If it's suitable to your app, you might consider among choices like: allow only ASCII, or only utf8, maybe disallow things that look like embedded MIME headers... I don't actually know what all would be prudent/appropriate in this regard.	[reply] [d/l]

Replies are listed 'Best First'.

Re^2: How do I go about validating a e-mail message field?
by graff (Chancellor) on Sep 21, 2006 at 12:29 UTC

my $sth = $dbh->prepare("insert into my_table (mail_text,sender,recip)
+ values (?,?,?)");
$sth->execute( $message_text, $from, $to );
[download]

That's the easy way of avoiding an "SQL injection attack" -- the use of the "?" placeholder will cause DBI to pass the text content to the database safely without further ado.

As for actually sending the email, there's Mail::Send and others that implement the sending of mail as a matter of printing the text to a file handle, avoiding any possibility that your mail server might misinterpret the text as executable commands or whatever. (Update: I've never used Net::SMTP... it looks pretty low-level, and you might need to watch for things like lines of text that start with "From " -- I don't know.)

As for what might happen to the email recipient, that's another matter... Maybe you're just dealing with "trusted" users who won't be doing stupid or hazardous things like pasting in arbitrary binary data, viral attachments, etc. If it's suitable to your app, you might consider among choices like: allow only ASCII, or only utf8, maybe disallow things that look like embedded MIME headers... I don't actually know what all would be prudent/appropriate in this regard.

[reply]
[d/l]