The article on http://www.anders.com/cms/75 has no less then 438 comments at the moment. I have seen many possible solutions, many using regexp to check for newlines. For example:
Code: Select all
$_POST['email'] = preg_replace("/\r/", "", $_POST['email']);
$_POST['email'] = preg_replace("/\n/", "", $_POST['email']);From http://builder.com.com/5100-6371_14-5899580.html
I was thinking: for emailinjection newlines are necessary. So can't we use ctype_print to check if an email injection attempt is made?The presence of control characters, such as line feeds or tabs, will cause this function to return false.
I know, filtering is all about using a whitelist aproach instead of a blacklist approach, so you will always want to check if recieved input is of the type and length you want. So using a good regexp (can anyone recommend a good one?) to check the emailaddress is necessary. But besides that, would there be any other issues I oversee with this function ctype_print?