PHP form sanitization help

codernoob · 01-05-2013, 08:47 PM

Hi,

I am completely new to PHP.. and have been trying to build a webform for a website.

I have set the form using HTML/CSS right and have added a JS script to validate it on the client side (it basically throws an error if the input isnt correct) on the website.

But the issue is my PHP back-end form processor aint working right .. I think am getting XSS attacks .. and would like some help to edit my current PHP form.

Can someone help me with it? The pHp code is below:

Code:

<?php
$title = $_POST['title'];
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$designation = $_POST ['jobt'];
$company = $_POST['cname'];
$event = $_POST['event'];
$purpose = $_POST['purpose'];
$message = $_POST['message'];
$TandC = $_POST['TandC'];
$formcontent=" From: \n Name: $title $name \n Email: $email \n Phone: $phone \n Designation: $designation \n Company: $company \n event: $event  \n Interested in being a: $purpose \n Message: $message";
$recipient = "brochure@xyz.com";
$subject = "Brochure Request";
$mailheader = "From: $email \r\n";
mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
if (isset($_POST['email'])) {
header("Location:thanks.html");
}
?>

AndrewGSW · 01-05-2013, 09:33 PM

I'm not surprised.. you've made no attempt to santize your data to protect against email injection. You could read the linked page and perhaps a little bit of googling/research.

BTW Using die() is very common, but a poor practice. mail() returns false if there is an error:

Code:

if (mail($recipient, $subject, $formcontent, $mailheader) === false) {
    // echo an error message
}

bearing in mind that a return value of true does not mean that the email has been successfully sent or received (there is no way to check this programmatically).

I include a simple question on the email form and check the answer - this is a straight-forward way to reduce the number of attacks.

codernoob · 01-07-2013, 02:49 PM

I have made some changes to the code, can someone check and let me know if the changes i have made are good enough - atleast to a good extend - to stop xss attacks?

Code:

<?php
$title = $_POST['title'];
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$message = $_POST['message'];
$dodgy_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
                ,"bcc:"
);

function is_valid_email($email) {
  return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}

function contains_bad_str($str_to_test) {
  $bad_strings = array(
                "content-type:"
                ,"mime-version:"
                ,"multipart/mixed"
		,"Content-Transfer-Encoding:"
                ,"bcc:"
		,"cc:"
		,"to:"
  );
  
  foreach($bad_strings as $bad_string) {
    if(eregi($bad_string, strtolower($str_to_test))) {
      echo "$bad_string found. Suspected injection attempt - mail not being sent.";
      exit;
    }
  }
}

function contains_newlines($str_to_test) {
   if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
     echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent.";
     exit;
   }
} 

if($_SERVER['REQUEST_METHOD'] != "POST"){
   echo("Unauthorized attempt to access page.");
   exit;
}

if (!is_valid_email($email)) {
  echo 'Invalid email submitted - mail not being sent.';
  exit;
}

contains_bad_str($email);
contains_bad_str($name);
contains_bad_str($phone);
contains_bad_str($message);

contains_newlines($email);
contains_newlines($subject);

$formcontent=" From: \n $title $name \n Email: $email \n Phone: $phone \n Message: $message";
$mailheader = "From: $email \r\n";
$recipient = "queries@xyz.com";
$subject = "Contact Form";
mail($recipient, $subject, $formcontent, $mailheader);
if (isset($_POST['email'])) {
header('Location:thanks.html');
}
?>

Redcoder · 01-07-2013, 03:08 PM

For such, use tried and tested methods. Use PHPMailer or PEAR MAILER. Way more secure and easier to use.

AndrewGSW · 01-07-2013, 03:18 PM

Looks good to me. Just requires you to test it.

codernoob · 01-07-2013, 03:30 PM

I checked and the form works, but it doesnt redirect to thanks.html page on submit..

and suggestions why its happening?

Redcoder · 01-07-2013, 03:42 PM

Does it give out any error?

You should check also try echoing out $_POST['email'] just above the if(isset($)POST['email'] statement to check whether it has a value.

Have this at the top of your script:

PHP Code:


			
<?php

ob_start();
error_reporting(E_ALL);
ini_set('display_errors', '1');

?>

and this at the very bottom:

PHP Code:


			
<?php

ob_end_flush();

Then tell us what it displays.

codernoob · 01-07-2013, 04:34 PM

Thank ya fellas,

I fixed it with some slight changes
Here is the code:

Code:

$formcontent=" From: \n $title $name \n Email: $email \n Phone: $phone \n Message: $message";
$headers = 'From: '.$email."\r\n".
'Reply-To: '.$email."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail($recipient, $subject, $formcontent, $headers);  
{
header('location:thanks.html');
}
?>

Cheers!