Secure 1 field php form - help
Moderator: General Moderators
-
Davidjohny
- Forum Newbie
- Posts: 1
- Joined: Thu Apr 05, 2012 12:24 pm
Secure 1 field php form - help
Hello
I have a website with an online email newsletter subscription form in PHP.
Current status:
Step1/- A visitor fills in his email address.
Step 2/- Next, I get visitor email address inside my INBOX.
Current PHP form consist of two pages
================================================
[[[ Page with PHP Form Code | Page NO.1 Formpage.php ]]]
<html><body>
<form name="myform" method="post" action="SEND.php"><br> <br />
<input name="email" type="text" id="email" />
<br />
<input type="submit" name="Submit" value="Submit" />
</form>
</body></html>
================================================
[[[ Confirmation Page Code | Page NO.2 SEND.php ]]]
<?php
$email = $_REQUEST['email'] ;
mail( "myemail@mydomain.com", "Newsletter Request", "From: $email" );
?>
================================================
I have heard about php code injection, malicious script and spam.
How can I secure this simple php two pages form?
Best wishes,
Dave
============
I have a website with an online email newsletter subscription form in PHP.
Current status:
Step1/- A visitor fills in his email address.
Step 2/- Next, I get visitor email address inside my INBOX.
Current PHP form consist of two pages
================================================
[[[ Page with PHP Form Code | Page NO.1 Formpage.php ]]]
<html><body>
<form name="myform" method="post" action="SEND.php"><br> <br />
<input name="email" type="text" id="email" />
<br />
<input type="submit" name="Submit" value="Submit" />
</form>
</body></html>
================================================
[[[ Confirmation Page Code | Page NO.2 SEND.php ]]]
<?php
$email = $_REQUEST['email'] ;
mail( "myemail@mydomain.com", "Newsletter Request", "From: $email" );
?>
================================================
I have heard about php code injection, malicious script and spam.
How can I secure this simple php two pages form?
Best wishes,
Dave
============
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Secure 1 field php form - help
It's good practise to check the input you receive; check that the data you receive is an email address by using regular expressions. Regarding spam you could implement captcha or a human-test system where a user has to answer a question, type in some word, etc. Check that the form was submitted from your site: set a session variable (or value in a hidden field) and do a check on this value before processing the formDavidjohny wrote:I have heard about php code injection, malicious script and spam.
How can I secure this simple php two pages form?
Code: Select all
<?php $email = $_REQUEST['email'] ; ?>“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Secure 1 field php form - help
And/or use a honeypot.social_experiment wrote:Regarding spam you could implement captcha or a human-test system where a user has to answer a question, type in some word, etc.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Secure 1 field php form - help
Interesting; how would this be setup, if i only have access to one web server? Or is this something that will only work on a network?Celauran wrote:And/or use a honeypot.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Secure 1 field php form - help
A simple honeypot can consist of a form field hidden by CSS. Humans won't see it, so they won't fill it in. Bots will see it, however, and tend to fill in everything. If that field contains data, discard the post.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Secure 1 field php form - help
Ah ok; thanks for the idea 
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: Secure 1 field php form - help
Thanks Celauran for the idea of honeypot..
-
x_mutatis_mutandis_x
- Forum Contributor
- Posts: 160
- Joined: Tue Apr 17, 2012 12:57 pm
Re: Secure 1 field php form - help
Thats very clever and ingeniousCelauran wrote:A simple honeypot can consist of a form field hidden by CSS. Humans won't see it, so they won't fill it in. Bots will see it, however, and tend to fill in everything. If that field contains data, discard the post.