Jump to content

Recommended Posts

Hi all,

 

I just wrote my very first PHP script ever. It's a simple mail form for use on my webpage along with a contact form. I'd love it if a few of you more experienced people would glance at it and let me know if there are any security vulnerabilities I'm overlooking. Thanks!

 

<?php // PHP SCRIPT TO HANDLE CONTACT FORM

include('header.inc');

// WHERE THE E-MAIL IS GOING
$recipient = 'me@mysite.com';

//EMAIL SUBJECT
$subject = 'Contact Form Submitted';

//WHAT THE EMAIL SAYS
$msg = "New Contact Form Submitted with the following information:
Name: $name

Email: $email

Phone #: $phone

Comments: $comments";

//REQUIRED FIELD ERROR MESSAGE 
$error_required = "<p>You did not fill in all required fields. Please return to the contact form and try again.</p>";

//EMAIL FORMAT ERROR MESSAGE
$error_email = "<p>The email address you entered is invalid. Please return to the contact form and try again.</p>";

//EMAIL SENT SUCESSFULLY MESSAGE
$sucess_msg = "<p>Thank you for your interest. I will contact you with more information as soon as possible.</p>";

//CHECKING FOR REQUIRED FIELDS AND CORRECTLY FORMATED EMAIL 
if ((!$name) || (!$email) || (!$comments))
{echo $error_required;

} elseif (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email))
{echo $error_email;	

} else {

//MAILING FORM 
mail ($recipient, $subject, $msg, 'From: webmaster@website.com');
echo $sucess_msg;
}

include('footer.inc');

?>

Link to comment
https://forums.phpfreaks.com/topic/118861-criticize-my-very-first-script/
Share on other sites

also for the phone adress could be verified like

 

 

<?php
$phone_number = $_POST['phone'];

$pattern = 
    '/^[\(]?(\d{0,3})[\)]?[\s]?[\-]?(\d{3})[\s]?[\-]?(\d{4})[\s]?[x]?(\d*)$/';
if (preg_match($pattern, $phone_number, $matches)) 
{
    // we have a match, dump sub-patterns to $matches
    $phone_number = $matches[0]; // original number
    $area_code = $matches[1];    // 3-digit area code
    $exchange = $matches[2];     // 3-digit exchange
    $number = $matches[3];       // 4-digit number
    $extension = $matches[4];    // extension
}
?>

The script can be seen in action here: http://www.astriawebdesign.com/contact.php

 

I'm not at all used to giving out anything that could be used as identifying information on-line, but I guess I'll need to get over that if I'm going to have an on-line based business. *g*

HTTP TRACE method is enabled on this web server.

In the presence of other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. This vulnerability affects Web Server.

The impact of this vulnerability

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

How to fix this vulnerability

Disable TRACE Method on the web server.

 

Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability

This alert was generated using only banner information. It may be a false positive. A stack-based buffer overflow has been reported in the Apache mod_ssl module. This issue would most likely result in a denial of service if triggered, but could theoretically allow for execution of arbitrary code. The issue is not believed to be exploitable to execute arbitrary code on x86 architectures, though this may not be the case with other architectures. Affected mod_ssl versions (up to 2.8.17). This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

 

 

Apache Mod_SSL Log Function Format String Vulnerability

This alert was generated using only banner information. It may be a false positive. A format string vulnerability has been found in mod_ssl versions older than 2.8.19. Successful exploitation of this issue will most likely allow an attacker to execute arbitrary code on the affected computer. Affected mod_ssl versions (up to 2.8.18).

This vulnerability affects mod_ssl.

The impact of this vulnerability

Denial of service and/or possible arbitrary code execution.

How to fix this vulnerability

Upgrade mod_ssl to the latest version.

Email address found

One or more email addresses have been found on this page. The majority of spam comes from email addresses harvested off the internet. The spam-bots (also known as email harvesters and email extractors) are programs that scour the internet looking for email addresses on any website they come across. Spambot programs look for strings like myname@mydomain.com and then record any addresses found.

The impact of this vulnerability

Email addresses posted on Web sites may attract spam.

How to fix this vulnerability

http://evolt.org/article/Spam_Proofing_Your_Website/20/41849/

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.