Jaime Jaime - 2 months ago 14
HTML Question

PHP Radio Button Secure When Emailing

I've been trying to figure out if radio buttons and checkboxes need to be stripped (cleaned?) when sending them via email and how to do so.

I have a contact form that just emails the information. It doesn't touch a database. Do I need to protect the radio buttons and checkboxes when emailing? Is it possible?

I haven't found anything on google regarding securing these when emailing them. I keep coming across a few answers that say that should definitely be protected when sending to a database. The same is found here, or questions regarding how to grab values or create one dynamically. So, I'm at a loss.

Do I secure radio buttons and checkboxes when emailing? Is it possible? Necessary? If so, how do I do it?

Here's what my code looks like, partially:

$firstName = strip_tags($_POST['firstName']);
$lastName = strip_tags($_POST['lastName']);
$email = strip_tags($_POST['emailAddress']);
$telNum = strip_tags($_POST['phoneNumber']);
$colors= $_POST['eColors'];
$additionalComments = strip_tags($_POST['additionalComments']);
$spamField = strip_tags($_POST['sField']);


<form id="contact-form" action="" method="post">

<div>
<input type="text" id="nameFirst" name="firstName" />
<label for="nameFirst" class="nameIcon">
<span>First Name</span>
</label>
<span class="hint">
<p>Input hint goes here</p>
</span>
</div>

<div>
<input type="text" id="nameLast" name="lastName" />
<label for="nameLast" class="nameIcon">
<span>Last Name</span>
</label>
<span class="hint">
<p>Input hint goes here</p>
</span>
</div>

<div>
<input type="email" id="eAddy" name="emailAddress" />
<label for="eAddy" class="emailIcon">
<span>Contact Email</span>
</label>
<span class="hint">
<p>Input hint goes here</p>
</span>
</div>

<div>
<input type="tel" id="telNum" name="phoneNumber" />
<label for="telNum" class="contactIcon">
<span>Contact Number</span>
</label>
<span class="hint">
<p>Input hint goes here</p>
</span>
</div>

<div>
<input type="checkbox" id="cbEColors" name="eColors" class="cbSwitch" />
<label for="cbEColors">Do you expect more color?</label>
</div>

<div>
<textarea id="addComments" name="additionalComments"></textarea>
<label for="addComments" class="messageIcon">
<span>Additional Comments</span>
</label>
<span class="hint">
<p>Input hint goes here</p>
</span>
</div>

<input type="text" id="sField" class="col" name="sField" />

<button id="submit" name="submit" type="submit" value="Submit">Submit</button>

</form>

Answer Source

I follow a simple but critical rule for PHP security: never trust input values, regardless of their expected type or external validation (eg client side browser validation).

There is a great article on this here.

Hope this helps :)