|
Posted by Chung Leong on 03/12/06 19:23
Scott wrote:
> This is a simple contact form. I have the following fields:
> name, company, email, phone, subject (which is chosen from a dropdown
> list), and message (a textarea field). I am also using a hidden field
> called originator which contains the random code, as well as assigning
> that same value to $_SESSION['code'] as discussed earlier.
As I said, the random code will indeed stop cross-site form submission.
That's not a useful exploit though in this instance, unless your script
is vulnerable to e-mail header injection.
> 1)Take each of the text fields, run them through trim() and
> strip_tags(), and assign them to a variable. That variable is then
> checked against a regular expression. If they do not match the
> expression, an error message such as "Please re-enter your email
> address." will be displayed along with the form, and with all of the
> information they just entered.
Sensible enough, although strip_tags() is a rather blunt instrument.
> 2) The subject must match one of the options in the drop down list. For
> now, if it doesn't, I'm just pulling the plug with exit(), because this
> obviously isn't valid data.
That should stop mail injection, as the subject is presumably the only
field which goes into the header.
> 3) With the message, I want to be fairly flexible, mainly because this
> is a contact form for potential customers to contact me, and I don't
> want to annoy them into going elsewhere. I am running it through trim()
> and strip_tags(), but haven't decided yet on a regular expression to
> use, or even if I really need to.
I'm not aware of any exploit that can be triggered by contents in the
mail body.
> After all this, if no error message has been generated, the form
> contents are emailed to me. Since this data is being passed to a mail()
> function, spam was pretty much my main concern. However, I'm wondering
> also, would you deem it necessary to use escapeshellcmd() on this data
> as well? I'm no Linux guru, so I don't know what someone could do to
> cause problems with this script, other than spam me.
PHP pipes data to Sendmail through the standard input. There is not
need to call escapeshellcmd().
> What further steps would you take on this script?
Don't see any. Seems like you're already getting more precautions that
you have to.
[Back to original message]
|