Complete beginner

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
uncle tom
Forum Newbie
Posts: 2
Joined: Tue Apr 03, 2007 3:07 am

Complete beginner

Post by uncle tom »

I know that this will be a complete bore to you chaps but a complete newbie to PHP begs information.

I've found a PHP tutorial online that demonstrated how to make a functioning PHP form for checkboxes, input fields and that sort of thing. I've introduced it to a website and got it all working but I'm not clear how to make it safe from possible manipulation from unsavoury.

Is there code which can be used to protect input fields which is easy to understand and can be used time and again?

Best wishes

Uncle Tom
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Why don't you post the code you have, and we'll give you suggestions as to how you could improve its security :)
uncle tom
Forum Newbie
Posts: 2
Joined: Tue Apr 03, 2007 3:07 am

hope this is ok

Post by uncle tom »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


It would be great if you could. It's giving me a headache.

Here's the PHP and my concerns our over the email, telephone and name inputs. I've been wondering if I'm being overly anxious but according to everything I've been reading you must prepare for the worst.

Code: Select all

<?php
   } else {
      error_reporting(0);
      // initialize a array to 
      //hold any errors we encounter
      $errors = array();

      // test to see if the form was actually 
      // posted from our form
    
      

	//create empty array for any missing fields
	$missing = array();

	//assume that there is nothing suspect
	$suspect = false;
	//create a pattern to locate suspect phrases
	$pattern = '/Content-Type:|Bcc:|Cc:/i';
	//process the $_POST variables
	


      // check to see if a name was entered
      if (!$_POST['Name'])
         $errors[] = "Name is required";
	if (!$_POST['Email'])
         $errors[] = "Email is required";
	if (!$_POST['Telephone'])
         $errors[] = "Tel is required";

      // if there are any errors, display them
      if (count($errors)>0) {
         foreach($errors as $err)
            echo "$err<br>\n";
         echo "<br>Please click back button to fix.";
      } else {

	//list expected fields
	$expected = array('Name', 'Email', 'Telephone',);
	
         // no errors, so we build our message

         

	switch($_POST['generator']){
            case 'New':
               $recipient = 'toma@yahoo.co.uk';
               break;
            case 'Second User':
               $recipient = 'toma@yahoo.co.uk';
               break;
            case 'Either':
               $recipient = 'toma@yahoo.co.uk';
               break;
            default:
               $recipient = 'toma@yahoo.co.uk';
         }

	
         $subject = "Quick Quote";
         $from = stripslashes($_POST['Name']);
         $msg = "Message sent by $from\n";
         $msg.="\nEmail: ".$_POST['Email'];	 
         $msg.="\nTelephone: ".$_POST['Telephone'];
         $msg.="\nCustomer Status: ".$_POST['existingcustomer'];
         $msg.="\nUsage: ".$_POST['Usage'];
         $msg.="\nspares: ".$_POST['spares'];
         $msg.="\n".stripslashes($_POST['MsgBody'])."\n";
         
	if (mail($recipient,$subject,$msg)){
            echo "<p>Thanks for contacting us</p>";
            echo nl2br($msg);
         } else
            echo "An unknown error occurred.";
      }
   }
?>
This is the original code that I've butchered.

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>E-mail with Attachment</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<?php
   if ($_SERVER['REQUEST_METHOD']=="POST"){

   // we'll begin by assigning the To address and message subject
   $to="somebody@example.com";

   $subject="E-mail with attachment";

   // get the sender's name and email address
   // we'll just plug them a variable to be used later
   $from = stripslashes($_POST['fromname'])."<".stripslashes($_POST['fromemail']).">";

   // generate a random string to be used as the boundary marker
   $mime_boundary="==Multipart_Boundary_x".md5(mt_rand())."x";

   // store the file information to variables for easier access
   $tmp_name = $_FILES['filename']['tmp_name'];
   $type = $_FILES['filename']['type'];
   $name = $_FILES['filename']['name'];
   $size = $_FILES['filename']['size'];

   // here we'll hard code a text message
   // again, in reality, you'll normally get this from the form submission
   $message = "Here is your file: $name";

   // if the upload succeded, the file will exist
   if (file_exists($tmp_name)){

      // check to make sure that it is an uploaded file and not a system file
      if(is_uploaded_file($tmp_name)){

         // open the file for a binary read
         $file = fopen($tmp_name,'rb');

         // read the file content into a variable
         $data = fread($file,filesize($tmp_name));

         // close the file
         fclose($file);

         // now we encode it and split it into acceptable length lines
         $data = chunk_split(base64_encode($data));
     }

      // now we'll build the message headers
      $headers = "From: $from\r\n" .
         "MIME-Version: 1.0\r\n" .
         "Content-Type: multipart/mixed;\r\n" .
         " boundary=\"{$mime_boundary}\"";

      // next, we'll build the message body
      // note that we insert two dashes in front of the
      // MIME boundary when we use it
      $message = "This is a multi-part message in MIME format.\n\n" .
         "--{$mime_boundary}\n" .
         "Content-Type: text/plain; charset=\"iso-8859-1\"\n" .
         "Content-Transfer-Encoding: 7bit\n\n" .
         $message . "\n\n";

      // now we'll insert a boundary to indicate we're starting the attachment
      // we have to specify the content type, file name, and disposition as
      // an attachment, then add the file content and set another boundary to
      // indicate that the end of the file has been reached
      $message .= "--{$mime_boundary}\n" .
         "Content-Type: {$type};\n" .
         " name=\"{$name}\"\n" .
         //"Content-Disposition: attachment;\n" .
         //" filename=\"{$fileatt_name}\"\n" .
         "Content-Transfer-Encoding: base64\n\n" .
         $data . "\n\n" .
         "--{$mime_boundary}--\n";

      // now we just send the message
      if (@mail($to, $subject, $message, $headers))
         echo "Message Sent";
      else
         echo "Failed to send";
   }
} else {
?>
<p>Send an e-mail with an attachment:</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" 
   enctype="multipart/form-data" name="form1">
   <p>From name: <input type="text" name="fromname"></p>
   <p>From e-mail: <input type="text" name="fromemail"></p>
   <p>File: <input type="file" name="filename"></p>
   <p><input type="submit" name="Submit" value="Submit"></p>
</form>
<?php } ?>
</body>
</html>

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I would recommend using Swift for your emailing purposes. It will do a ton of work for you when it comes to creating emails.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I agree with feyd on using Swift for mailing. It is the best mailing library available.

The code you posted has potential issues all over it and could stand to be cleaned up a bit.

Code: Select all

<?php
   } else {
      error_reporting(0);

      // initialize a array to
      //hold any errors we encounter
      $errors = array();

        //create empty array for any missing fields
        $missing = array();

        //assume that there is nothing suspect
        $suspect = false;

        //create a pattern to locate suspect phrases
        $pattern = '/Content-Type:|Bcc:|Cc:/i';

      // check to see if a name was entered
      /**
       * THIS DOES NOT CHECK ANYTHING OTHER THAN THE VAR NOT BEING FALSE
       * Consider using something a little cleaner, along the lines of:
       */
      /*
      if (!empty($_POST['Name']))
      {
        $temp_name = $_POST['Name'];
        if (strlen(trim($temp_name)) > 5) // Or some other value that you'd expect for a name length
        {
            if (preg_match('/[a-z\s]$/i', $temp_name)
            {
                // Now we are looking better....
            }
        }
      }
      // That was just an example and should not be used in production
      */             
      if (!$_POST['Name'])
         $errors[] = "Name is required";
        if (!$_POST['Email'])
         $errors[] = "Email is required";
        if (!$_POST['Telephone'])
         $errors[] = "Tel is required";

      // if there are any errors, display them
      if (count($errors)>0) {
         foreach($errors as $err)
            echo "$err<br>\n";
         echo "<br>Please click back button to fix.";
      } else {

        //list expected fields
        $expected = array('Name', 'Email', 'Telephone',);
       
         // no errors, so we build our message

         

        switch($_POST['generator']){
            case 'New':
               $recipient = 'toma@yahoo.co.uk';
               break;
            case 'Second User':
               $recipient = 'toma@yahoo.co.uk';
               break;
            case 'Either':
               $recipient = 'toma@yahoo.co.uk';
               break;
            default:
               $recipient = 'toma@yahoo.co.uk';
         }

       
         $subject = "Quick Quote";
         $from = stripslashes($_POST['Name']);
         $msg = "Message sent by $from\n";
         $msg.="\nEmail: ".$_POST['Email'];     
         $msg.="\nTelephone: ".$_POST['Telephone'];
         $msg.="\nCustomer Status: ".$_POST['existingcustomer'];
         $msg.="\nUsage: ".$_POST['Usage'];
         $msg.="\nspares: ".$_POST['spares'];
         $msg.="\n".stripslashes($_POST['MsgBody'])."\n";
         
        if (mail($recipient,$subject,$msg)){
            echo "<p>Thanks for contacting us</p>";
            echo nl2br($msg);
         } else
            echo "An unknown error occurred.";
      }
?>
Post Reply