Posted by Aggelos on 10/16/06 08:12

Hello,
I can't get my head around form mail scripts and people injecting extra
code in there. I don't know if they actually achieve anything or not. I
am using a script from
Web4Future Easiest Form2Mail (GPL).
Copyright (C) 1998-2005 Web4Future.com All Rights Reserved.
http://www.Web4Future.com/
Does anyone know if that script is supposed to be secure. ?

Anyway... my point is not that much just the formmail script but any
post form and post handling script.
Is there a standard checklist of security threats I should be looking
regarding forms that send crucial data ?
For example when you send something to paypall or worldpay you have to
send an id that uniquely identifies you ok ?
Now that is visible to everyone.
But it doesn't really produce any security threat at all.

BUT if I need someone to send an id to my script and use it as a
signature to use the site services that means that someone can fake it
easily and start using the website without signing up.
I don't want people to login because they would have allready loged in
elsewhere.
Using post variables seems to be the easiest way to store data in my DB
from any other site cross platform.

Any ideas or discussions on all these ?

Thanks for reading anyway,
and I hope it makes sense. :)

[Back to original message]