Online Contact Form Validation

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Ice2257
Forum Newbie
Posts: 8
Joined: Thu Feb 05, 2009 1:17 pm

Online Contact Form Validation

Post by Ice2257 »

Code: Select all

<?php
 
//$mail_body = $_POST['submitterName'];
$mail_body .= $_POST['submitterEmail'];
$mail_body .= "\n";
$mail_body .= "\n";
$mail_body .= $_POST['submitterPhone'];
$mail_body .= "\n";
$mail_body .= "\n";
$mail_body .= $_POST['submitterComments'];
$from = 'From: ' . $_POST['submitterEmail'];
 
$recipient = 'Orders@tacobills.com';
$subject = 'You have an order from ' .   $_POST['submitterName'];
 
 
mail($recipient, $subject,$mail_body,$from);
 
header("location: thankyou.html");
 
?>
Can someone please help me write validation fields. I am currently getting spammed.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Online Contact Form Validation

Post by kaisellgren »

Are you getting spam? How about using a CAPTCHA?

You are insecurely passing all client submitted data into the mail() -function. That script is very easily exploitable.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Online Contact Form Validation

Post by Chris Corbyn »

http://recaptcha.net/

The above Captcha will deal with the spam problem. It's easy to use. They have instructions for PHP on their site.

But yes, you need to sanitize your user inputs as ~kaisellgren says. You're open to more than spam currently (search for header injection attacks).
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Online Contact Form Validation

Post by kaisellgren »

Chris Corbyn wrote:http://recaptcha.net/
The above Captcha will deal with the spam problem.
Sorry to poke you, but you cannot know that it will deal with the spam. I have found several weaknesses in reCAPTCHA, mostly in the audio version, but I am not the only one - actually I know someone who has broken the audio version. :wink: ReCAPTCHA is not a bulletproof solution, but a very good one.

CAPTCHAs are pretty much all broken nowadays. All CAPTCHAs created by Microsoft are broken. Same applies to Yahoo. Also, Gmail CAPTCHA is broken, I broke it myself too - the audio version, just listen to it and you'll notice several weaknesses even without analyzing the actual waveform data.

I am very skeptical about the future. It is becoming increasingly hard to make CAPTCHAs, which prevent bots, but not humans. The OP most likely can prevent spamming with reCAPTCHA, but that is not 100% certain.

EDIT: I see that you have just released Swift 4, what's new? :P
Ice2257
Forum Newbie
Posts: 8
Joined: Thu Feb 05, 2009 1:17 pm

Re: Online Contact Form Validation

Post by Ice2257 »

Can someone just edit my code and hand it back to me ?

Please

----------------
Now playing: Philly's Q102 - The Man Codes
via FoxyTunes
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: Online Contact Form Validation

Post by jayshields »

Ice2257 wrote:Can someone just edit my code and hand it back to me ?
No, that isn't going to happen. Try it yourself and post back with any further problems.
Post Reply