skustes Posted December 22, 2009 Share Posted December 22, 2009 I have a contact form that takes a user's name, email, and phone, along with a subject and message. The name, phone (validated to be xxx-xxx-xxxx), and message are inserted only into the body of the email that is sent. The subject is put only into the subject line. However, the email address is inserted into the "From: " of the headers. I know that there are some ways to spam a contact form, so I'm wondering what kind of damage control I need to do. I already run the fields through a function that strips out all HTML tags. My form validator picks up if anything other than a single valid email address is entered or if someone tries to input a "\r\n" into the email. What about the subject? Other than inputting "Get V!@gr@ here!" can anything malicious be done through that? Thanks! Scott Link to comment https://forums.phpfreaks.com/topic/186025-contact-form-input-scrubbing/ Share on other sites More sharing options...
ChemicalBliss Posted December 22, 2009 Share Posted December 22, 2009 If it's a contact form that any guest can use, then i would advise; 1. Spam Control (Time limit between sending messages, ip/cookie etc). 2. Email Verification (A little overkill with spam control), when user sends a message, he must confirm the message in his own email, sort of like a registration type thing. 3. Only allow certain number of messages/day, if the limit is reached then send an email to you, so you can check it out and reset the limit if everything is ok. 4. Of course you will need to only allow Plain Text in the message body/name/email and subject. 5. Anything going into mysql from those fields needs to be properly escaped (mysql_real_escape_string). -CB- Link to comment https://forums.phpfreaks.com/topic/186025-contact-form-input-scrubbing/#findComment-982364 Share on other sites More sharing options...
skustes Posted December 23, 2009 Author Share Posted December 23, 2009 Great, thanks! I went with spam control, currently set at 1 minute between emails from a particular IP address. Nothing going into the database, so no need for mysql escaping, but I am already stripping HTML tags. I suppose if I see any abuse, I can add a restriction on the number of emails that can be sent in a day. Any other suggestions or you think that'll be a good start? Cheers! Link to comment https://forums.phpfreaks.com/topic/186025-contact-form-input-scrubbing/#findComment-982809 Share on other sites More sharing options...
roopurt18 Posted December 23, 2009 Share Posted December 23, 2009 Be careful when restricting by IP. People on shared networks or sharing a proxy will be restricted unintentionally. Link to comment https://forums.phpfreaks.com/topic/186025-contact-form-input-scrubbing/#findComment-982814 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.