...

View Full Version : PHP security needed for this send email form?



optimus203
12-01-2008, 02:53 AM
Hey everyone. I'm a complete newbie in the PHP world, and will be taking a class in it next term. I revised this PHP send mail script I found on the internet. It seems really simple, and I'm just wondering if something is missing, or if this script looks secure. I was doing some research on PHP security, and didn't really understand if this little script was related, since I am completely unfamiliar with the language. Any insights would be greatly appreciated. Thanks in advance.

Also, would anybody be able to assist on making certain form input fields mandatory, therefore sending an error message when one of these input fields isn't filled out upon submitting the form?


<?php
$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$phone = $_REQUEST['phone'] ;
$find = $_REQUEST['find'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;

mail( "test@example.com", "$subject",
$message, "From: $email" );
header( "Location: http://www.example.com/mailconfirm.html" );
?>

_Aerospace_Eng_
12-01-2008, 07:40 AM
Its actually very insecure. I suggest you read this as it pertains to php contact scripts.

http://www.phpbuilder.com/columns/ian_gilfillan20060412.php3

optimus203
12-01-2008, 08:34 PM
Thanks! I will check this out tonight when I get home, and make the appropriate revisions. Thanks so much for the help.

optimus203
12-02-2008, 03:45 AM
Okay. So I went through the useful page you recommended. Since I'm still learning the PHP scripting language, I'm still unsure if this is correct. I read through the 2 page article, and copy/pasted the suggestions while begining to grasp the PHP coding concept. Can anyone confirm if the commands look proper and functional?

Another question I have is: where do these echo commands show up? On a separate page with just the text, or within the html form somewhere? Any help would be greatly appreciated. Thanks in advance.



<form method="post" action="getintouch.php">
<table width="700px">
<tr>
<td class="taR">* Name &nbsp;</td>
<td class="taL"><input type="text" name="name" size="30"/></td>
</tr>
<tr>
<td class="taR">* Email Address &nbsp;</td>
<td class="taL"><input type="text" name="email" size="30" /></td>
</tr>
<tr>
<td class="taR">Phone number &nbsp;</td>
<td class="taL"><input type="text" name="phone" size="30" /></td>
</tr>
<tr>
<td class="taR">How did you find us? &nbsp;</td>
<td class="taL">
<select name="find">
<option value="findchoose"> * Please select an option </option>
<option value="google"> Google </option>
<option value="yahoo"> Yahoo </option>
<option value="othersearch"> Other Search Engine </option>
<option value="othersite"> Other Website </option>
</select></td>
</tr>
<tr>
<td class="taR">* Subject &nbsp;</td>
<td class="taL">
<select name="subject">
<option value="choose"> * Please select your enquiry </option>
<option value="webdesign"> Web Design quote </option>
<option value="webpromo"> Web Promotions quote </option>
<option value="webmaintain"> Web Maintenance quote </option>
<option value="graphicsdesign"> Graphic Design quote </option>
<option value="photography"> Photography quote </option>
<option value="general"> General enquiry </option>
<option value="linkexchange"> Link Exchange </option>
</select></td>
</tr>
<tr>
<td class="taR">* Message &nbsp;</td>
<td class="taL">
<textarea name="message" rows="10" cols="26"></textarea><br /><br />
<input type="submit" value="Send" />
<input type="reset" value="Reset" /></td>
</tr>

</table>
</form>




<?php
$name = $_REQUEST['name'] ;
$email = $_REQUEST['email'] ;
$phone = $_REQUEST['phone'] ;
$find = $_REQUEST['find'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;

function is_valid_email($email) {
return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}


function contains_bad_str($str_to_test) {
$bad_strings = array(
"content-type:"
,"mime-version:"
,"multipart/mixed"
,"Content-Transfer-Encoding:"
,"bcc:"
,"cc:"
,"to:"
);

foreach($bad_strings as $bad_string) {
if(eregi($bad_string, strtolower($str_to_test))) {
echo "$bad_string found. Suspected injection attempt - mail not being sent.";
exit;
}
}
}

function contains_newlines($str_to_test) {
if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent.";
exit;
}
}


if($_SERVER['REQUEST_METHOD'] != "POST"){
echo("Unauthorized attempt to access page.");
exit;
}



if (!is_valid_email($email)) {
echo 'Sorry, invalid email';
exit;
}



contains_bad_str($email);
contains_bad_str($subject);
contains_bad_str(body);

contains_newlines($email);
contains_newlines($subject);


mail( "example@example.com", "$subject",
$message, "From: $email" );
header( "Location: http://www.example.com/mailconfirm.html" );
?>

_Aerospace_Eng_
12-02-2008, 06:16 AM
Its not going to work. you need to be using $_POST not $_REQUEST.

optimus203
12-02-2008, 02:36 PM
The original script worked before with $REQUEST. Is the $POST change due to all the added security which was included? Thanks so much for your assistance. You have been very helpful.

_Aerospace_Eng_
12-02-2008, 03:03 PM
The original script worked before with $REQUEST. Is the $POST change due to all the added security which was included? Thanks so much for your assistance. You have been very helpful.

It would work with $_REQUEST but someone could just use something like this

http://urltoyourscript.php?email=blah@blah.com&message=blah etc... however now you have the check to see that the request method is post.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum