Page 1 of 1

PHP form validation and security needed please?

Posted: Tue Apr 01, 2008 7:57 am
by ewwatson
Hello, This is my first post here, nice to meet all of you. OK - heres my question. Here is my very simple but working php form script.

<?php
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$subject = $_POST['subject'] ;
$comments = $_POST['comments'] ;

mail( "myemail@gmail.com", "mydomain.com Formmail", "Name: $name \n\nSubject: $subject \n\nComments: $comments","From: $email" );
header( "Location: http://www.mydomain.com/thankyou.php" );
?>

It outputs this.

Name: Eric

Subject: Diabetes

Comments: So Happy!!

It took my a while to get this working so I am quite happy with it. However, I'm sure it's obvious to all of you all that I need to add some security and validation code to it. As I am completely new to php I was wondering if someone would be so kind to help me out. Thanks, take care! By the way it does not need to be anything fancy - just simple and easy for me to understand.

Re: PHP form validation and security needed please?

Posted: Tue Apr 01, 2008 8:12 am
by superdezign
You should be a lot more specific as to what you're looking for... Tips?

For starters, validation of user input. Also, cleansing of user input. For example, you are using $_POST['email']. If I'm not mistaken, you are allowing email headers to be injected directly into your code. Like, let's say that $_POST['email'] has the value "Somebody <someEmailAddress@someDomain.tld>\r\nTo:SpamSomeone <personToSpam@someDomain.tld>, SpamSomeoneElse<someOtherGuy@someDomain.tld>,..." Then, someone could maliciously use your email script to spam, using any email address and you'd be paying for it through your server.

Re: PHP form validation and security needed please?

Posted: Tue Apr 01, 2008 9:04 am
by ewwatson
I know! Hence my question. Yes I am looking for validation of user input, and cleansing of user input. Thanks for any suggestions!

Re: PHP form validation and security needed please?

Posted: Tue Apr 01, 2008 11:09 am
by AMCH
It's probably best to use javascript for the form validation, it could be done in php but javascript would make it more user friendly. :D

Kind Regards
AMCH