nepzap2 Posted August 7, 2008 Share Posted August 7, 2008 Hello everyone. I created this little script to e-mail a form and it works and everything... I just wanted to see what you guys think. My main concern is if the script is safe. Thank You For your Help <?php if(isset($_POST['submit'])) { $to = "someone"; $subject = "Transformation Request Form"; $from = htmlentities($_REQUEST['email']); $date = $_POST['date']; $projectLeader = htmlentities($_POST['projectLeader']); $name_field = htmlentities($_POST['name']); $email_field = htmlentities($_POST['email']); $plantGenotype = htmlentities($_POST['plantGenotype']); $constructName = htmlentities($_POST['constructName']); $methodUsed = htmlentities($_POST['methodUsed']); $agro = $_POST['agro']; $agroProvided = htmlentities($_POST['agroProvided']); $bacterialSelection = htmlentities($_POST['bacterialSelection']); $plantSelection = htmlentities($_POST['plantSelection']); $transformationEvents = htmlentities($_POST['transformationEvents']); $option = $_POST['radio']; $vectorPlants = htmlentities($_POST['vectorPlants']); $option2 = $_POST['radio2']; $numberNeeded = htmlentities($_POST['numberNeeded']); $specialRequests = htmlentities($_POST['specialRequests']); $projectNumber = htmlentities($_POST['projectNumber']); $headers = "From: $from"; $body = "Date: $date\n From: $name_field\n Project Leader: $projectLeader\n E-Mail: $email_field\n Plant Genotype: $plantGenotype\n Construct Name: $constructName\n Method Used: $methodUsed\n $agro\n Agro Provided In: $agroProvided\n Bacterial Selection: $bacterialSelection\n Plant Selection: $plantSelection\n Number of Transformation Events: $transformationEvents\n Vector controls needed: $option\n Vector-only Control Plants Needed: $vectorPlants\n Regenerated Controls Needed: $option2\n Number Needed: $numberNeeded\n Special Requests: $specialRequests\n Project Number: $projectNumber"; $error = false; if(!isset($_POST['projectLeader']) || empty($_POST['projectLeader']) || !ereg("[a-zA-Z]", $projectLeader)){ $error = true; print("Enter your Project Leader's Name. Numbers and Charaters are not Allowed!<br>"); } if(!isset($_POST['name']) || empty($_POST['name']) || ereg("[0-9!@#$%^&*()]", $name_field)){ $error = true; print("Enter your Name. Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['email']) || empty($_POST['email']) || !eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email_field)){ $error = true; print("Please Enter a valid E-mail Address<br>"); } if(!isset($_POST['plantGenotype']) || empty($_POST['plantGenotype']) || ereg("[0-9!@#$%^&*()]", $plantGenotype)){ $error = true; print("Enter a Plant Genotype. Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['constructName']) || empty($_POST['constructName']) || ereg("[0-9!@#$%^&*()]", $constructName)){ $error = true; print("Enter a Construct Name. Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['methodUsed']) || empty($_POST['methodUsed']) || ereg("[0-9!@#$%^&*()]", $methodUsed)){ $error = true; print("Enter Method Used. Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['agroProvided']) || empty($_POST['agroProvided']) || ereg("[0-9!@#$%^&*()]", $agroProvided)){ $error = true; print("What Agro was used? Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['bacterialSelection']) || empty($_POST['bacterialSelection']) || ereg("[0-9!@#$%^&*()]", $bacterialSelection)){ $error = true; print("Enter a Bacterial Selection. Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['plantSelection']) || empty($_POST['plantSelection']) || ereg("[0-9!@#$%^&*()]", $plantSelection)){ $error = true; print("Enter a Plant Selection. Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['transformationEvents']) || empty($_POST['transformationEvents']) || ereg("[a-zA-Z!@#$%^&*()]", $transformationEvents)){ $error = true; print("Enter the Number of Transformation Events!<br>"); } if(!isset($_POST['vectorPlants']) || empty($_POST['vectorPlants']) || ereg("[a-zA-Z!@#$%^&*()]", $vectorPlants)){ $error = true; print("Enter the Number of vector-only control plants needed!<br>"); } if(!isset($_POST['numberNeeded']) || empty($_POST['numberNeeded']) || ereg("[a-zA-Z!@#$%^&*()]", $numberNeeded)){ $error = true; print("Enter the Number of regenerated controls needed!<br>"); } if(!isset($_POST['specialRequests']) || empty($_POST['specialRequests']) || ereg("[0-9!@#$%^&*()]", $specialRequests)){ $error = true; print("Enter Method Used. Numbers and Charaters are not allowed!<br>"); } if(!isset($_POST['projectNumber']) || empty($_POST['projectNumber']) || ereg("[a-zA-Z!@#$%^&*()]", $projectNumber)){ $error = true; print("Enter the Number of Your Project!<br>"); } if (! $error){ header("Location: thankYou.php"); mail($to, $subject, $body, $headers); } } ?> Link to comment https://forums.phpfreaks.com/topic/118617-code-check/ Share on other sites More sharing options...
MasterACE14 Posted August 7, 2008 Share Posted August 7, 2008 looks alright to me. You might want to strip slashes or add slashes to more sensitive data. But it looks pretty good. Link to comment https://forums.phpfreaks.com/topic/118617-code-check/#findComment-610631 Share on other sites More sharing options...
nepzap2 Posted August 7, 2008 Author Share Posted August 7, 2008 MasterACE14 Thank you very much. You mentioned stripslashes() or addslashes() I have seen this functions... but, wouldn't just adding htmlentities() prevent people from injecting malicious code? Thanks, Link to comment https://forums.phpfreaks.com/topic/118617-code-check/#findComment-610672 Share on other sites More sharing options...
DeanWhitehouse Posted August 7, 2008 Share Posted August 7, 2008 check this out http://www.w3schools.com/PHP/php_secure_mail.asp Link to comment https://forums.phpfreaks.com/topic/118617-code-check/#findComment-610690 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.