Page 1 of 1
Secure form script in php-reg
Posted: Wed Jan 03, 2007 6:36 am
by karikalan
Hi All,
I was using a PHP mail script on my site which was recently abused by spammers and my site was put down. I recently installed a secure form script from this URL
http://www.dagondesign.com/articles/...mailer-script/
I am not sure how secure it is. The hosting person is telling that there is no way he can tell if or not the form is secure. Can anyone of you suggest me a secure form or tell me if or not the currently form is secure....
...and cannot be hacked?
Your help is appreciated.
Posted: Wed Jan 03, 2007 8:02 am
by Ollie Saunders
I get a 404 with that link.
I am not sure how secure it is. The hosting person is telling that there is no way he can tell if or not the form is secure. Can anyone of you suggest me a secure form or tell me if or not the currently form is secure....
You can never know for certain if it is secure but you can be pretty close to certain if you do a security audit. There are things you should look out for:
- XSS (Cross Site Scripting) vulneribilities where user input, including that via the a database, is outputted to the browser without being sanitized first and allows hackers to inject JavaScript into the page with your form and change it's functionality to something more sinister such as redirecting the action of the form to the hacker's own server where they can do whatever they please with it.
- CSRF (Cross Site Request Forgery) vulneribilities where submissions of form can be spoofed from external sources - sessions are required to prevent this
- Mail header injection vulneribilities where input can be used to change aspects of the action performed the worst of which is sending the email to someone other than it is intended.
Other's probably know more.
d11, who is probably around here somewhere, developed SwiftMailer so he can probably tell you how secure that is against Mail header injection. I'm willing to bet it's very secure. CSRF is specific to forms and you can learn about from
here. XSS is something you have to work on yourself - make sure you use htmlspecialchars() when outputting user input. Do a google search on any of these to learn more.