Email Validation Error

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Email Validation Error

Post by matthijs »

I think a problem is that there is no input validation for any of the form fields posted. So $mailmessage, $_POST['field_1'] and $_POST['field_2'] should have at least some basic input filtering/validation.

As to the spam: you could also try something with an extra input field and a basic simple question. Like "Please uncheck the following checkbox to show this is not spam". Or "Who is bigger a cat or a dog?". Most spambots will choke on those.

But I do understand that, just as with the captcha, something like that makes your form harder to use.
nootkan
Forum Newbie
Posts: 14
Joined: Sat Mar 08, 2008 2:41 pm

Re: Email Validation Error

Post by nootkan »

I thought that was taken care of with js in form.html. I have since blacklisted the ip address of the offenders and haven't recieved any spam lately so that is a good (but temporary) thing I guess.
Nootkan
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Email Validation Error

Post by matthijs »

You can not rely on javascript validation. Never. Javascript can be turned of by the user/attacker and as fas as I know bots don't even care about it. Always have solid validation on the server side. Javascript validation is there only for convenience (no page reload needed to show form errors) for the users that have js on.
nootkan
Forum Newbie
Posts: 14
Joined: Sat Mar 08, 2008 2:41 pm

Re: Email Validation Error

Post by nootkan »

Thanks for all your input. I guess I'll have to scrap the form idea to replace email addresses on my websites as I am unable to figure out how to secure the script. :oops: Some day maybe. Thanks again.
Nootkan
Post Reply