skustes Posted December 22, 2009 Share Posted December 22, 2009 I have a contact form that takes a user's name, email, and phone, along with a subject and message. The name, phone (validated to be xxx-xxx-xxxx), and message are inserted only into the body of the email that is sent. The subject is put only into the subject line. However, the email address is inserted into the "From: " of the headers. I know that there are some ways to spam a contact form, so I'm wondering what kind of damage control I need to do. I already run the fields through a function that strips out all HTML tags. My form validator picks up if anything other than a single valid email address is entered or if someone tries to input a "\r\n" into the email. What about the subject? Other than inputting "Get V!@gr@ here!" can anything malicious be done through that? Thanks! Scott Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted December 22, 2009 Share Posted December 22, 2009 If it's a contact form that any guest can use, then i would advise; 1. Spam Control (Time limit between sending messages, ip/cookie etc). 2. Email Verification (A little overkill with spam control), when user sends a message, he must confirm the message in his own email, sort of like a registration type thing. 3. Only allow certain number of messages/day, if the limit is reached then send an email to you, so you can check it out and reset the limit if everything is ok. 4. Of course you will need to only allow Plain Text in the message body/name/email and subject. 5. Anything going into mysql from those fields needs to be properly escaped (mysql_real_escape_string). -CB- Quote Link to comment Share on other sites More sharing options...
skustes Posted December 23, 2009 Author Share Posted December 23, 2009 Great, thanks! I went with spam control, currently set at 1 minute between emails from a particular IP address. Nothing going into the database, so no need for mysql escaping, but I am already stripping HTML tags. I suppose if I see any abuse, I can add a restriction on the number of emails that can be sent in a day. Any other suggestions or you think that'll be a good start? Cheers! Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted December 23, 2009 Share Posted December 23, 2009 Be careful when restricting by IP. People on shared networks or sharing a proxy will be restricted unintentionally. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.