Hello, This is my first post here, nice to meet all of you. OK - heres my question. Here is my very simple but working php form script.
<?php
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$subject = $_POST['subject'] ;
$comments = $_POST['comments'] ;
mail( "myemail@gmail.com", "mydomain.com Formmail", "Name: $name \n\nSubject: $subject \n\nComments: $comments","From: $email" );
header( "Location: http://www.mydomain.com/thankyou.php" );
?>
It outputs this.
Name: Eric
Subject: Diabetes
Comments: So Happy!!
It took my a while to get this working so I am quite happy with it. However, I'm sure it's obvious to all of you all that I need to add some security and validation code to it. As I am completely new to php I was wondering if someone would be so kind to help me out. Thanks, take care! By the way it does not need to be anything fancy - just simple and easy for me to understand.
PHP form validation and security needed please?
Moderator: General Moderators
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Re: PHP form validation and security needed please?
You should be a lot more specific as to what you're looking for... Tips?
For starters, validation of user input. Also, cleansing of user input. For example, you are using $_POST['email']. If I'm not mistaken, you are allowing email headers to be injected directly into your code. Like, let's say that $_POST['email'] has the value "Somebody <someEmailAddress@someDomain.tld>\r\nTo:SpamSomeone <personToSpam@someDomain.tld>, SpamSomeoneElse<someOtherGuy@someDomain.tld>,..." Then, someone could maliciously use your email script to spam, using any email address and you'd be paying for it through your server.
For starters, validation of user input. Also, cleansing of user input. For example, you are using $_POST['email']. If I'm not mistaken, you are allowing email headers to be injected directly into your code. Like, let's say that $_POST['email'] has the value "Somebody <someEmailAddress@someDomain.tld>\r\nTo:SpamSomeone <personToSpam@someDomain.tld>, SpamSomeoneElse<someOtherGuy@someDomain.tld>,..." Then, someone could maliciously use your email script to spam, using any email address and you'd be paying for it through your server.
Re: PHP form validation and security needed please?
I know! Hence my question. Yes I am looking for validation of user input, and cleansing of user input. Thanks for any suggestions!
Re: PHP form validation and security needed please?
It's probably best to use javascript for the form validation, it could be done in php but javascript would make it more user friendly.
Kind Regards
AMCH
Kind Regards
AMCH