Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder optimus203's Avatar
    Join Date
    Sep 2008
    Location
    CT
    Posts
    317
    Thanks
    22
    Thanked 16 Times in 15 Posts

    PHP security needed for this send email form?

    Hey everyone. I'm a complete newbie in the PHP world, and will be taking a class in it next term. I revised this PHP send mail script I found on the internet. It seems really simple, and I'm just wondering if something is missing, or if this script looks secure. I was doing some research on PHP security, and didn't really understand if this little script was related, since I am completely unfamiliar with the language. Any insights would be greatly appreciated. Thanks in advance.

    Also, would anybody be able to assist on making certain form input fields mandatory, therefore sending an error message when one of these input fields isn't filled out upon submitting the form?

    PHP Code:
    <?php
      $name 
    $_REQUEST['name'] ;
      
    $email $_REQUEST['email'] ;
      
    $phone $_REQUEST['phone'] ;
      
    $find $_REQUEST['find'] ;
      
    $subject $_REQUEST['subject'] ;
      
    $message $_REQUEST['message'] ;

      
    mail"test@example.com""$subject"
      
    $message"From: $email" );
      
    header"Location: http://www.example.com/mailconfirm.html" );
    ?>
    Last edited by optimus203; 12-01-2008 at 02:57 AM.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Its actually very insecure. I suggest you read this as it pertains to php contact scripts.

    http://www.phpbuilder.com/columns/ia...n20060412.php3
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • Users who have thanked _Aerospace_Eng_ for this post:

    optimus203 (12-01-2008)

  • #3
    Regular Coder optimus203's Avatar
    Join Date
    Sep 2008
    Location
    CT
    Posts
    317
    Thanks
    22
    Thanked 16 Times in 15 Posts
    Thanks! I will check this out tonight when I get home, and make the appropriate revisions. Thanks so much for the help.

  • #4
    Regular Coder optimus203's Avatar
    Join Date
    Sep 2008
    Location
    CT
    Posts
    317
    Thanks
    22
    Thanked 16 Times in 15 Posts
    Okay. So I went through the useful page you recommended. Since I'm still learning the PHP scripting language, I'm still unsure if this is correct. I read through the 2 page article, and copy/pasted the suggestions while begining to grasp the PHP coding concept. Can anyone confirm if the commands look proper and functional?

    Another question I have is: where do these echo commands show up? On a separate page with just the text, or within the html form somewhere? Any help would be greatly appreciated. Thanks in advance.


    Code:
    <form method="post" action="getintouch.php"> 
          <table width="700px">
            <tr>
              <td class="taR">* Name &nbsp;</td>
              <td class="taL"><input type="text" name="name" size="30"/></td>
            </tr>
            <tr>
              <td class="taR">* Email Address &nbsp;</td>
              <td class="taL"><input type="text" name="email" size="30" /></td>
            </tr>
            <tr>
              <td class="taR">Phone number &nbsp;</td>
              <td class="taL"><input type="text" name="phone" size="30" /></td>
            </tr>
            <tr>
              <td class="taR">How did you find us? &nbsp;</td>
              <td class="taL">
              <select name="find">
              <option value="findchoose"> * Please select an option </option>
              <option value="google"> Google </option>
              <option value="yahoo"> Yahoo </option>
              <option value="othersearch"> Other Search Engine </option>
              <option value="othersite"> Other Website </option>
              </select></td>
            </tr>
            <tr>
              <td class="taR">* Subject &nbsp;</td>
              <td class="taL">
              <select name="subject">
              <option value="choose"> * Please select your enquiry </option>
              <option value="webdesign"> Web Design quote </option>
              <option value="webpromo"> Web Promotions quote </option>
              <option value="webmaintain"> Web Maintenance quote </option>
              <option value="graphicsdesign"> Graphic Design quote </option>
              <option value="photography"> Photography quote </option>
              <option value="general"> General enquiry </option>
              <option value="linkexchange"> Link Exchange </option>
              </select></td>
            </tr>
            <tr>
              <td class="taR">* Message &nbsp;</td>
              <td class="taL">
              <textarea name="message" rows="10" cols="26"></textarea><br /><br />
              <input type="submit" value="Send" /> 
              <input type="reset" value="Reset" /></td>
            </tr>
            
          </table>
          </form>

    PHP Code:
    <?php
      $name 
    $_REQUEST['name'] ;
      
    $email $_REQUEST['email'] ;
        
    $phone $_REQUEST['phone'] ;
        
    $find $_REQUEST['find'] ;
        
    $subject $_REQUEST['subject'] ;
      
    $message $_REQUEST['message'] ;
        
        function 
    is_valid_email($email) {
      return 
    preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si'$email);
    }


    function 
    contains_bad_str($str_to_test) {
      
    $bad_strings = array(
                    
    "content-type:"
                    
    ,"mime-version:"
                    
    ,"multipart/mixed"
            
    ,"Content-Transfer-Encoding:"
                    
    ,"bcc:"
            
    ,"cc:"
            
    ,"to:"
      
    );
      
      foreach(
    $bad_strings as $bad_string) {
        if(
    eregi($bad_stringstrtolower($str_to_test))) {
          echo 
    "$bad_string found. Suspected injection attempt - mail not being sent.";
          exit;
        }
      }
    }

    function 
    contains_newlines($str_to_test) {
       if(
    preg_match("/(%0A|%0D|\\n+|\\r+)/i"$str_to_test) != 0) {
         echo 
    "newline found in $str_to_test. Suspected injection attempt - mail not being sent.";
         exit;
       }



    if(
    $_SERVER['REQUEST_METHOD'] != "POST"){
       echo(
    "Unauthorized attempt to access page.");
       exit;
    }



    if (!
    is_valid_email($email)) {
      echo 
    'Sorry, invalid email';
      exit;
    }



    contains_bad_str($email);
    contains_bad_str($subject);
    contains_bad_str(body);

    contains_newlines($email);
    contains_newlines($subject);


      
    mail"example@example.com""$subject",
        
    $message"From: $email" );
      
    header"Location: http://www.example.com/mailconfirm.html" );
    ?>

  • #5
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Its not going to work. you need to be using $_POST not $_REQUEST.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #6
    Regular Coder optimus203's Avatar
    Join Date
    Sep 2008
    Location
    CT
    Posts
    317
    Thanks
    22
    Thanked 16 Times in 15 Posts
    The original script worked before with $REQUEST. Is the $POST change due to all the added security which was included? Thanks so much for your assistance. You have been very helpful.

  • #7
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by optimus203 View Post
    The original script worked before with $REQUEST. Is the $POST change due to all the added security which was included? Thanks so much for your assistance. You have been very helpful.
    It would work with $_REQUEST but someone could just use something like this

    http://urltoyourscript.php?email=bla...m&message=blah etc... however now you have the check to see that the request method is post.
    ||||If you are getting paid to do a job, don't ask for help on it!||||


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •