If I had to replace it, i’d preg_replace on ~[^\w\s]~ with an empty string. It’s not perfect, because it will exclude characters from outside the latin range. If you anticipate getting a lot of non-latin (read: not a-z) characters in your names, you’d have to do more targetted removal.
I was doing some reading around the deprecation and what to use instead. I understood the general advice to be don’t worry so much about sanitizing what you store in the db, rather worry about escaping it properly whenever you use it in a browser (mail client) context. Would you agree with that?
If so, would a function like htmlspecialchars() not be better? If I’m understanding things correctly, this would render <script> as <script> in the markup (defeating XXS), but would still mean that the email previewed correctly, if somebody really needed to include < or > in their mail.
I’ll stop after this message, as I don’t want to hijack the OP’s thread.
My caution is more in the realm of “I dont know what an XSS attack looks like in an email”. or I suppose more to the point “I don’t know the behavior of mail clients when receiving html entities”.
Rendering <script> as <script> might work… unless your mail client tries to be clever and translates HTML entities back into their markup form…? I’m not sure how well strip_tags handles “errant” <'s or >'s, for that matter, but if your name has a < or > in it… I’ve got more questions for you.
Oh, apologies, that should have been FILTER_SANITIZE_NUMBER_INT.
If your server is set to Fatal on Deprecation, you’ll need to replace the Name filter with something else (strip_tags($_POST['Name'] or htmlspecialchars($_POST['Name']) or something equivalent.)
You’d have to add it to the body, the same as with the other values. I would probably filter it the same as Name, and just tell people not to put HTML into your form
I did that per your suggestion. The text area field now shows in the email but not the text inside. I’m sure I have screwed it up somewhere but can’t figure out where.
Here’s the script as it is now:
<?php
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
require 'PHPMailer/src/Exception.php';
require 'PHPMailer/src/PHPMailer.php';
$email = filter_var($_POST['E-mail'], FILTER_SANITIZE_EMAIL) || "not-a-valid-email@not-a-real-email.com";
$name = filter_var($_POST['Name'], FILTER_SANITIZE_STRING) || "Bad Name";
$phone = filter_var($_POST['Phone'], FILTER_SANITIZE_NUMBER_INT) || "Bad Phone";
$textarea = filter_var($_POST['Textarea'], FILTER_SANITIZE_STRING) || "Please provide your info";
$mail = new PHPMailer(true);
try {
$mail->setFrom('bm@bmrealty.com', 'Form Mail Handler');
$mail->addAddress('bm@bmrealty.com',);
$mail->addAddress('em@icom-design.com',);
$mail->addReplyTo($_POST['E-mail'], 'Information');
$mail->isHTML(true); //Set email format to HTML
$mail->Subject = 'BMREALTY Website Inquiry';
$mail->Body = '<ul>
<li>Name:'.$_POST['Name']."</li>
<li>Phone: ".$_POST['Phone']."</li>
<li>Email: ".$_POST['E-mail']."</li>
<li>Additional Information: ".$_POST['Additional Information']."</li>
</ul>";
$mail->AltBody = "Name: ".$_POST['Name']." | Phone: ".$_POST['Phone']." | Email: ".$_POST['E-mail'];
$mail->send();
echo 'Thank you for your message. Brigitte will respond as soon as possible.';
} catch (Exception $e) {
echo "Message could not be sent. Mailer Error: {$mail->ErrorInfo}";
}
?>
So if i set a variable: $x = 2;
When i want to use that variable, i put $x in my code, and it will use the value 2.
If i call a function that returns a value, and store that value; $y = strlen("Hello");
$y will hold (in this case) the length of the string “Hello”, or 5. And again, if i want to USE that value, i use $y.
Our security line calls the function filter_var(), and stores the transformed result in variable names: $name, $email, etc.
Currently, your email body calls the UNtransformed (“raw”) values:
<li>Name:'.$_POST['Name']."</li>
^This bit.
Filtering the data is only helpful if you use the filtered data, not the raw data. The raw data is in $_POST, our filtered data is in $name, $email, etc.
m_hutley
I do have another question: I am trying to incorporate the name of the inquirer in the echo, like this:
$mail->send();
echo 'Dear ".$_POST['Name'].",
<br>Thank you for your message.
<br>I will respond as soon as possible.';
but it does not work. What did I do wrong?
What does “it does not work” mean? Did you get an error message? What happened that should not have done, or didn’t happen that should have?
I expect the issue is that you’ve used different quote marks around the variable than you have around the main string, but if you could be more specific in telling us what the problem is, it would make things easier all round.
