StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>The escaping entirely depends on the context the data is embedded into.</p> <p>Are you sending HTML mails? Then you have HTML context, and <code>htmlspecialchars()</code> must be used.</p> <p>If you are sending plain text mails, there is no escaping for plain text.</p> <p>The only threat would be that your mail client has some bug that interprets the plain text as something executable and then acts up when you get some strange names and mail adresses.</p> <p>But this only applies to the mail's content, not the actual headers.</p> <p>You are using a custom mail header <code>From</code>. Do not use this. <code>From</code> is used in spam filters. If I would enter my mail address, and you are sending this mail with <code>From: my@mail</code>, you are impersonating my own email server. Spam used to use this to hide the real source, and to redirect complaints and error feedback to the unhappy guy behind that mail address. Because of this today there are mechanisms that will prevent such abuse. So just do not pretend I am sending this mail - YOU do.</p> <p>If you want to be able to answer me with a click on the reply button, use the <code>Reply-to</code> header, but always use <code>From: dont-answer@YOURWEBSITE.example</code>.</p> <p>Additionally, these custom headers are the entry point for bad things. Make sure you are only adding mail addresses. Make sure you do not add any line feed characters. These would make the mailserver think that there is a new header coming up, and this might lead to mail header injection.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload