PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Jul 19, 2018 1:10 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Thu Apr 05, 2012 12:28 pm 
Offline
Forum Newbie

Joined: Thu Apr 05, 2012 12:24 pm
Posts: 1
Hello
I have a website with an online email newsletter subscription form in PHP.

Current status:

Step1/- A visitor fills in his email address.
Step 2/- Next, I get visitor email address inside my INBOX.

Current PHP form consist of two pages

================================================
[[[ Page with PHP Form Code | Page NO.1 Formpage.php ]]]

<html><body>
<form name="myform" method="post" action="SEND.php"><br>

<input name="email" type="text" id="email" />


<input type="submit" name="Submit" value="Submit" />
</form>
</body></html>
================================================
[[[ Confirmation Page Code | Page NO.2 SEND.php ]]]

<?php
$email = $_REQUEST['email'] ;
mail( "myemail@mydomain.com", "Newsletter Request", "From: $email" );
?>
================================================
I have heard about php code injection, malicious script and spam.
How can I secure this simple php two pages form?

Best wishes,
Dave
============


Top
 Profile  
 
PostPosted: Thu Apr 05, 2012 6:09 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Davidjohny wrote:
I have heard about php code injection, malicious script and spam.
How can I secure this simple php two pages form?

It's good practise to check the input you receive; check that the data you receive is an email address by using regular expressions. Regarding spam you could implement captcha or a human-test system where a user has to answer a question, type in some word, etc. Check that the form was submitted from your site: set a session variable (or value in a hidden field) and do a check on this value before processing the form

Syntax: [ Download ] [ Hide ]
<?php $email = $_REQUEST['email'] ; ?>

If you have the method of your form as 'post' use $_POST instead of $_REQUEST.

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Thu Apr 05, 2012 6:14 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
social_experiment wrote:
Regarding spam you could implement captcha or a human-test system where a user has to answer a question, type in some word, etc.

And/or use a honeypot.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Fri Apr 06, 2012 12:30 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Celauran wrote:
And/or use a honeypot.

Interesting; how would this be setup, if i only have access to one web server? Or is this something that will only work on a network?

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Fri Apr 06, 2012 6:31 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
A simple honeypot can consist of a form field hidden by CSS. Humans won't see it, so they won't fill it in. Bots will see it, however, and tend to fill in everything. If that field contains data, discard the post.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Fri Apr 06, 2012 5:28 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Ah ok; thanks for the idea :)

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Thu Apr 26, 2012 7:37 am 
Offline
Forum Contributor

Joined: Fri Dec 24, 2010 1:48 am
Posts: 143
Location: India
Thanks Celauran for the idea of honeypot..:D


Top
 Profile  
 
PostPosted: Thu Apr 26, 2012 10:07 am 
Offline
Forum Contributor

Joined: Tue Apr 17, 2012 12:57 pm
Posts: 160
Celauran wrote:
A simple honeypot can consist of a form field hidden by CSS. Humans won't see it, so they won't fill it in. Bots will see it, however, and tend to fill in everything. If that field contains data, discard the post.

Thats very clever and ingenious


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group