I want to use a php script to send emails from a html file on a website. Would this php script be secure enough against hacking and spam?
<?php
$to = "[email protected]";
$subject = "Sent from site";
$email = $_POST['emailFrom'];
$message = $_POST['message'];
$email = filter_var($email , FILTER_SANITIZE_EMAIL);
$message = filter_var($message , FILTER_SANITIZE_EMAIL);
$message = $email . $message;
mail($to, $subject, $message, "From: [email protected]");
?>
FILTER_SANITIZE_EMAIL removes illegal email address characters from a string; this is, therefore not the best option for the contents of an email (however useful it may be for email addresses). Whilst removing HTML special characters is useful when preventing XSS attacks, it is worth noting that there are legitimate reasons to post < and > in messages (i.e. right now). Therefore it is better to convert these characters to their html entities.
I.e.
< would become <
and > would become >
So in order to change html characters to their entities replace:
$message = filter_var($message , FILTER_SANITIZE_EMAIL); with
$message = htmlspecialchars($message);
Other than that it looks good; but remember, in cases where a database is involved database sanitisation should also be added.
