Reply to Re: Form Security

Your name:

Reply:


Posted by Chung Leong on 03/12/06 19:23

Scott wrote:
> This is a simple contact form. I have the following fields:
> name, company, email, phone, subject (which is chosen from a dropdown
> list), and message (a textarea field). I am also using a hidden field
> called originator which contains the random code, as well as assigning
> that same value to $_SESSION['code'] as discussed earlier.

As I said, the random code will indeed stop cross-site form submission.
That's not a useful exploit though in this instance, unless your script
is vulnerable to e-mail header injection.

> 1)Take each of the text fields, run them through trim() and
> strip_tags(), and assign them to a variable. That variable is then
> checked against a regular expression. If they do not match the
> expression, an error message such as "Please re-enter your email
> address." will be displayed along with the form, and with all of the
> information they just entered.

Sensible enough, although strip_tags() is a rather blunt instrument.

> 2) The subject must match one of the options in the drop down list. For
> now, if it doesn't, I'm just pulling the plug with exit(), because this
> obviously isn't valid data.

That should stop mail injection, as the subject is presumably the only
field which goes into the header.

> 3) With the message, I want to be fairly flexible, mainly because this
> is a contact form for potential customers to contact me, and I don't
> want to annoy them into going elsewhere. I am running it through trim()
> and strip_tags(), but haven't decided yet on a regular expression to
> use, or even if I really need to.

I'm not aware of any exploit that can be triggered by contents in the
mail body.

> After all this, if no error message has been generated, the form
> contents are emailed to me. Since this data is being passed to a mail()
> function, spam was pretty much my main concern. However, I'm wondering
> also, would you deem it necessary to use escapeshellcmd() on this data
> as well? I'm no Linux guru, so I don't know what someone could do to
> cause problems with this script, other than spam me.

PHP pipes data to Sendmail through the standard input. There is not
need to call escapeshellcmd().

> What further steps would you take on this script?

Don't see any. Seems like you're already getting more precautions that
you have to.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация