Secure form script in php-reg

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
karikalan
Forum Newbie
Posts: 1
Joined: Tue Jan 02, 2007 2:41 am

Secure form script in php-reg

Post by karikalan »

Hi All,
I was using a PHP mail script on my site which was recently abused by spammers and my site was put down. I recently installed a secure form script from this URL http://www.dagondesign.com/articles/...mailer-script/

I am not sure how secure it is. The hosting person is telling that there is no way he can tell if or not the form is secure. Can anyone of you suggest me a secure form or tell me if or not the currently form is secure....

...and cannot be hacked?

Your help is appreciated.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

I get a 404 with that link.
I am not sure how secure it is. The hosting person is telling that there is no way he can tell if or not the form is secure. Can anyone of you suggest me a secure form or tell me if or not the currently form is secure....
You can never know for certain if it is secure but you can be pretty close to certain if you do a security audit. There are things you should look out for:
  • XSS (Cross Site Scripting) vulneribilities where user input, including that via the a database, is outputted to the browser without being sanitized first and allows hackers to inject JavaScript into the page with your form and change it's functionality to something more sinister such as redirecting the action of the form to the hacker's own server where they can do whatever they please with it.
  • CSRF (Cross Site Request Forgery) vulneribilities where submissions of form can be spoofed from external sources - sessions are required to prevent this
  • Mail header injection vulneribilities where input can be used to change aspects of the action performed the worst of which is sending the email to someone other than it is intended.
Other's probably know more.

d11, who is probably around here somewhere, developed SwiftMailer so he can probably tell you how secure that is against Mail header injection. I'm willing to bet it's very secure. CSRF is specific to forms and you can learn about from here. XSS is something you have to work on yourself - make sure you use htmlspecialchars() when outputting user input. Do a google search on any of these to learn more.
Post Reply