Page 1 of 1

Email Forms _Processing Securely

Posted: Mon May 01, 2006 12:20 pm
by Plaz
Currently I have a site that has a form handler that will process any form I send to it (Even from other domains).

What is the easiest way to secure this form handler so that it can not be exploited by spammers?

I need it to stay simple so that it can process any forms from my site (rather than having a specific form handler for each form).

What is the best way to do this?

Can it be done without form-field validation?

Is there a simple bit of reliable code that will only allow forms from my domain to be processed by the form handler?

Thanks in advance for any input on this.

Posted: Mon May 01, 2006 5:31 pm
by feyd
standardize any fields that affect the headers used in the email to use the same names and formats, everything else can pretty much be dumping into the body of the email as-is with little to no validation (some basic sanity checks)

Posted: Tue May 02, 2006 8:15 am
by neophyte
Although not perfect, I like to give each form a unique token in a session var and in a hidden field. On submit you just check to make sure the two match. That'll help cut down on spam. A better way is to use a CAPTCHA or have the user click on a link in their email.