PHPMailer safe practices - Send escaped / sanitized variables or not ?

Posted by FreekOne on Stack Overflow See other posts from Stack Overflow or by FreekOne
Published on 2010-03-28T03:40:39Z Indexed on 2010/03/28 3:43 UTC
Read the original article Hit count: 412

Filed under:

phpmailer

|

escaping

|

variables

I'm using the PHPMailer-Lite class to build an email sending script and I'm not sure if I should use addslashses() on the $name variable when adding it to the constructor.

If somebody's last name would be O'Riley (or any other name that contains characters which should normally be sanitized before handling) and I would send it unescaped, wouldn't it mess with the script/email sending ? Is it safe to send it unescaped ? As a side note, I would also like to avoid having my message body say "Hello, O\'Riley".

Looking at the source, I saw that it only trims the whitespace and line ending (\r\n) characters from the received $name variable, so any advice on this would be more than welcome.

Thank you all in advance !

© Stack Overflow or respective owner

Related posts about phpmailer

PHPMailer erroring out with Call to undefined method PHPMailer::SetFrom()

as seen on Stack Overflow - Search for 'Stack Overflow'
Hay I'm using PHPMailer to send some simple emails, however the function SetFrom() doesn't seem to work, even though the code I'm using is straight from phpmails docs (http://phpmailer.worxware.com/index.php?pg=examplebmail) Here my error Call to undefined method PHPMailer::SetFrom() and my script require_once('inc/phpmailer/class… >>> More
Should I use php mail function or phpmailer?

as seen on Stack Overflow - Search for 'Stack Overflow'
Well, so far, I have been using php built in function, mail(), and I have no problems with it, even I sent a blast to 1000+ users. But then, lately I found this phpmailer, which is specially design to send email. Q1: Should I change to this phpmailer? Q2: What are the advantages of using phpmailer… >>> More
phpmailer with hotmail?

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to send emails from my server by a PHP script. I used to send it by a native php function mail and everything worked OK. Here's the code I used: $to = $sMail;<br> $subject = $sSubject;<br> $message = $sMessage; $headers = 'From: [email protected]' . "\r\n";<br> $headers… >>> More
Unable to send mail through Google SMTP with PHPMailer

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, I'm trying to send out mail using Google's SMTP in combination with PHPMailer, but I can't get it to work. This is my code: $mail->IsSMTP(); $mail->Host = "smtp.gmail.com"; $mail->SMTPAuth = true; $mail->SMTPSecure = "ssl"; $mail->Username = "[email protected]"; $mail->Password… >>> More
Mail not being sent when using phpmailer

as seen on Stack Overflow - Search for 'Stack Overflow'
I am using the following code to send mail to a smtp server . <?php // example on using PHPMailer with GMAIL include("PHPMailer/class.phpmailer.php"); include("PHPMailer/class.smtp.php"); // note, this is optional - gets called from main class if not already loaded $mail = new PHPMailer(); $mail->IsSMTP(); $mail->SMTPAuth… >>> More

Related posts about escaping

XSLT disable output escaping when disable-output-escaping is not supported

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi folks, Since disable-output-escaping doesn't work on firefox (and isn't going to), whats the next best way of including raw markup in the output of an XSTL transform? (Background: I've got raw HTML in a database that I want to wrap in XML to send to a browser to render. I've got control of… >>> More
Escaping Generics with T4 Templates

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
I've been doing some work with T4 templates lately and ran into an issue which I couldn't find an answer to anywhere. I finally figured it out, so I thought I'd share the solution. I was trying to generate a code class with a T4 template which used generics The end result a method like: public… >>> More
How to escape or remove double quotes in rsyslog template

as seen on Server Fault - Search for 'Server Fault'
I want rsyslog to write log messages in JSON format, which requires to use double-quotes (") around strings. Problem is that values sometime include double-quotes themselves, and those need to be escaped - but I can't figure out how to do that. Currently my rsyslog.conf contains this format that… >>> More
Searching for literal "> \" using ack-grep

as seen on Server Fault - Search for 'Server Fault'
I am looking for lines that literally have a greater than character (a "") followed by a space followed by a backslash character (a "\") i.e., a line with this: \ I thought escaping would allow this, and for the greater-than it does: $ ack-grep " " returns lines that have " " in them. But… >>> More
Escaping equal sign in properties files

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi guys, How do i escape the equals ('=') sign in java properties file? i would like to put something like table.whereclause=where id=100 . thanks. Josh >>> More