PHP form validation and security needed please?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ewwatson
Forum Newbie
Posts: 3
Joined: Tue Apr 01, 2008 7:48 am

PHP form validation and security needed please?

Post by ewwatson »

Hello, This is my first post here, nice to meet all of you. OK - heres my question. Here is my very simple but working php form script.

<?php
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$subject = $_POST['subject'] ;
$comments = $_POST['comments'] ;

mail( "myemail@gmail.com", "mydomain.com Formmail", "Name: $name \n\nSubject: $subject \n\nComments: $comments","From: $email" );
header( "Location: http://www.mydomain.com/thankyou.php" );
?>

It outputs this.

Name: Eric

Subject: Diabetes

Comments: So Happy!!

It took my a while to get this working so I am quite happy with it. However, I'm sure it's obvious to all of you all that I need to add some security and validation code to it. As I am completely new to php I was wondering if someone would be so kind to help me out. Thanks, take care! By the way it does not need to be anything fancy - just simple and easy for me to understand.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: PHP form validation and security needed please?

Post by superdezign »

You should be a lot more specific as to what you're looking for... Tips?

For starters, validation of user input. Also, cleansing of user input. For example, you are using $_POST['email']. If I'm not mistaken, you are allowing email headers to be injected directly into your code. Like, let's say that $_POST['email'] has the value "Somebody <someEmailAddress@someDomain.tld>\r\nTo:SpamSomeone <personToSpam@someDomain.tld>, SpamSomeoneElse<someOtherGuy@someDomain.tld>,..." Then, someone could maliciously use your email script to spam, using any email address and you'd be paying for it through your server.
ewwatson
Forum Newbie
Posts: 3
Joined: Tue Apr 01, 2008 7:48 am

Re: PHP form validation and security needed please?

Post by ewwatson »

I know! Hence my question. Yes I am looking for validation of user input, and cleansing of user input. Thanks for any suggestions!
AMCH
Forum Commoner
Posts: 31
Joined: Sun Mar 30, 2008 4:39 pm

Re: PHP form validation and security needed please?

Post by AMCH »

It's probably best to use javascript for the form validation, it could be done in php but javascript would make it more user friendly. :D

Kind Regards
AMCH
Post Reply