Does email text need to be escaped?

**djr33** · 10-11-2010, 01:54 AM

Assuming a plain text email (not html or anything special), should post data be escaped somehow? And how?

**fastsol1** · 10-11-2010, 02:21 AM

I guess that if it's not going into a db I don't see the necessity of escaping even though I do it for unknown reasons. The only real thing I make sure of is when the email arrives that it doesn't have slashes in front of quotes and such, just use stripslashes then is what I do.

You know far more than me on php and I don't know of any way that it would make any difference is it was escaped or not cause it's running any query or anything.

**traq** · 10-11-2010, 02:44 AM

if it's not being used in a database query, output to the browser (where it would be parsed as html), or similar, there's no reason to escape it. Just make sure your email is being send as plain text. If you do escape it, you'll either:

a) have backslashes in the middle of your sentences
b) have to use stripslashes(), which basically equates to not escaping anything in the first place.

**djr33** · 10-11-2010, 05:17 AM

Right. This is only for plain text emails that won't be doing anything else later on the server or anything.

What I'm wondering is if there's some magical way to do code injection in emails that would do something odd in the email program, like in HTML how you could inject Javascript.

I assume it's unlikely, but in theory there could be some email markup language I'm not aware of. For example, perhaps there's a way to signal an attachment and add some random text (of that file).

It's probably entirely irrelevant for my current project, but I thought of that today-- it's strange using $_POST data directly without escaping in any way.

From what you've said, it sounds like you're confirming there's nothing to worry about. Thanks.