Re: Form Security

Scott wrote:
This is a simple contact form. I have the following fields:
name, company, email, phone, subject (which is chosen from a dropdown
list), and message (a textarea field). I am also using a hidden field
called originator which contains the random code, as well as assigning
that same value to $_SESSION['code'] as discussed earlier.

As I said, the random code will indeed stop cross-site form submission.
That's not a useful exploit though in this instance, unless your script
is vulnerable to e-mail header injection.

1)Take each of the text fields, run them through trim() and
strip_tags(), and assign them to a variable. That variable is then
checked against a regular expression. If they do not match the
expression, an error message such as "Please re-enter your email
address." will be displayed along with the form, and with all of the
information they just entered.

Sensible enough, although strip_tags() is a rather blunt instrument.

2) The subject must match one of the options in the drop down list. For
now, if it doesn't, I'm just pulling the plug with exit(), because this
obviously isn't valid data.

That should stop mail injection, as the subject is presumably the only
field which goes into the header.

3) With the message, I want to be fairly flexible, mainly because this
is a contact form for potential customers to contact me, and I don't
want to annoy them into going elsewhere. I am running it through trim()
and strip_tags(), but haven't decided yet on a regular expression to
use, or even if I really need to.

I'm not aware of any exploit that can be triggered by contents in the
mail body.

After all this, if no error message has been generated, the form
contents are emailed to me. Since this data is being passed to a mail()
function, spam was pretty much my main concern. However, I'm wondering
also, would you deem it necessary to use escapeshellcmd() on this data
as well? I'm no Linux guru, so I don't know what someone could do to
cause problems with this script, other than spam me.

PHP pipes data to Sendmail through the standard input. There is not
need to call escapeshellcmd().

What further steps would you take on this script?

Don't see any. Seems like you're already getting more precautions that
you have to.

.

Relevant Pages

  • Re: Newbie question: "Get substring of line"
    ... milliseconds of run time they waste from running their script with the ... just how much IS the performance penalty, ... In other words, if every single regular expression used $', there would ... message, but it seems like you're irritated at me for some reason, Uri. ...
    (comp.lang.perl.misc)
  • Re: Parsing file: Regular Expressions
    ... In checking the regular expression I ... more instances of white space characters. ... > when I run my script cp.tcl, ... > I am unable to figure out where parentheses are not balanced. ...
    (comp.lang.tcl)
  • Questions about regex
    ... I'm new to python and I'm having problems with a regular expression. ... use textmate as my editor and when I run the regex in textmate it ... but when I run it as part of the script it freezes. ... #Now to create the newfile 'test' and write our 'text' ...
    (comp.lang.python)
  • odd behaviour of a script when using -Ku option
    ... So I saved the script as a UTF-8 file and ran Ruby ... complaint about the Unicode character in the regular expression. ...
    (comp.lang.ruby)
  • Re: Questions about regex
    ... I'm new to python and I'm having problems with a regular expression. ... use textmate as my editor and when I run the regex in textmate it ... but when I run it as part of the script it freezes. ... import sys, os, re, string, csv ...
    (comp.lang.python)