FormMail security — PHP Programming Language

You are here: FormMail security « PHP Programming Language « IT news, forums, messages

Posted by Aidan on 10/26/53 11:33

Hi PHP guru's,

I've been working on creating a PHP formmail script. I have a working
version, but I'd like to get feed back on what security holes I may have
opened, and what I could do better. Here's the code:

<?php
// $to - set this to where form contents should be sent
$to = 'someone@somewhere.com';

// $subject - the subject of the message to send to $to
$subject = 'Yay FormMail!';

// $from - who the email should appear to be from
$from = 'formmail@example.com';

// $thanks_page - URL of page to redirect to when the mail is sent
successfully
$thanks_page = 'http://www.example.com/thanks.html';

// $error_page - URL of page to redirect to when there is an error
$error_page = 'http://www.example.com/error.html';

// $allowed_referers - comma separated list of hostnames where form
contents can originate.
// POST's or GET's comming from anywhere else will be rejected.
$allowed_referers = 'example.com,www.example.com';

/*//////////////////////////
// DONT EDIT BELOW HERE!!!//
//////////////////////////*/

//Check that the referer is valid
$referers = explode(',', $allowed_referers);
preg_match('/http*\:\/\/(.*)\/.*/', $_SERVER[HTTP_REFERER], $matches);
$referer = $matches[1];
// if not, redirect to $error_page
if(!array_search($referer, $referers)) {
header("Location: $error_page");
}

// Check which method was used to send data, and sanitise it
if(count($_POST) > 0 || count($_GET) > 0) {
if(count($_POST) > 0) {
foreach($_POST as $k => $v) {
$form[strval($k)] = strip_tags(strval($v));
}
} else {
foreach($_GET as $k => $v) {
$form[strval($k)] = strip_tags(strval($v));
}
}
} else {
header("Location: $error_page");
exit();
}

$message = "Form submitted from $_SERVER[HTTP_REFERER] at " . date('h:ia D
jS F Y') . "\n\n";

// Convert the form data from an array into a string, ready for sending
foreach($form as $k => $v) {
$message .= "$k\t==>\t$v\n";
}

if(mail($to, $subject, $message, "From: $from")) {
header("Location: $thanks_page");
} else {
header("Location: $error_page");
}

?>

What do you think? Thanks in advance...

Regards,

Aidan

Navigation:

Next in forum: Strategies for developing a bilingual website?
Prev in forum: Re: Character Sets in PHP + MySQL
Thread view: FormMail security

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация