What validation rules and/or regex would you use for validation of a text field in a contact form, used in the body of an email?
I've used the function below but it's a bit too restrictive (not allowing strange characters like umlaut etc).
Hi, thanks for your reply. Reading your answer I realize my subject title was not very clear. What I mean is that it's about a normal text field ("your message") in which all normal text characters should be allowed. The data of that text field is being used as the body of an email sent after successfully filling in the contact form.
I could of course limit the validation to only the length of the message (say 5 - 1000 characters), but I wondered if there's other validation I should do.
I wouldn't validate each and every character. You would have to use a huge character class in order not to block valid messages. Just check the length and if you are using the php mail() function watch out for a header injection.
GeertDD wrote:I wouldn't validate each and every character. You would have to use a huge character class in order not to block valid messages. Just check the length and if you are using the php mail() function watch out for a header injection.
Ok, thanks. I might just keep it at a length check then. The text from the message field is used in the body of the mail (using the mail() function) so no email header injection there as far as I know.
Really, an eMail is just a bunch of text, where the headers are a few lines at the top of the mail that give it special information. If you put the right context in an eMail, especially if it's a text eMail, you can fool an eMail client into doing something other than what the form was intended for.
You guys have to show some concrete examples. I've dealt with the whole email injection issue some time ago so am aware of the problem. The securephp wiki had a good page about it, showing possible ways of injection. Unfortunately that page is down at the moment.
Can you guys show some code in which the body of the mail() function is exploited? And what regex/validation rule would you use then? Many of the filters that are shown to prevent the injection search for newlines. But in a text field used for the body of the mail function you don't want to strip or disallow newlines. I mean, if you would do that you would't be able format a normal email message using multiple paragraphs.