Jump to content

Secure form processing

Lambneck

By Lambneck
in PHP Coding Help

 Share

Recommended Posts

Lambneck Regular Member

Lambneck

Posted
Posted

Hi, I am just looking for some input on how I could make this form processing script more secure. In fact extremely secure. Like the most secure server side filtering can get!  8)

 

<?php

// Mail header removal
function remove_headers($string) 
{ 
$headers = array(
    "/to\:/i",
    "/from\:/i",
    "/bcc\:/i",
    "/cc\:/i",
    "/Content\-Transfer\-Encoding\:/i",
    "/Content\-Type\:/i",
    "/Mime\-Version\:/i" 
); 
  
if (preg_replace($headers, '', $string) == $string) 
	{
	return $string;
	} 

else 
	{
	die('Spam much?');
	}
}

// Build the email
$to = '[email protected]';
$subject = "Secure contact form message from: $subject";
$message = "$name said: $message";
$headers = "From: $email";


// field validation
if ($subject=="" || $message=="" || $name=="")
{
print ("All form fields are required. Please go back and try again.");
}

else 
{
// email validation
if(!eregi('^([._a-z0-9-]+[._a-z0-9-]*)@(([a-z0-9-]+\.)*([a-z0-9-]+)(\.[a-z]{2,3})?)$', $email)) 
{
print ("Your email address does not appear to be valid. Please go back and try again.");
exit;
}

// Send the mail
mail($to, $subject, $message, $headers);

// Redirect
header('Location: ../submitted.php');
}
?>

 

Link to comment
https://forums.phpfreaks.com/topic/229833-secure-form-processing/
Share on other sites
Lambneck Regular Member

Lambneck

Posted
  • Author
Posted

Would it be effective if instead of relying on the remove_headers function to use:

 

<?php
if ( preg_match( "/[\r\n]/", $name ) || preg_match( "/[\r\n]/", $email ) ) {

header('Location: ../fail.php');

}
?>

 

Or can they be used together for double the security!?

 

Lambneck Regular Member

Lambneck

Posted
  • Author
Posted

Ok updated. Now at a quick glance can anyone find any loose ends or insecurity potentialities that could use attention?

 

securest mail script:

<?php

// Mail header removal
function isInjected($str) {
$injections = array('(\n+)','(\r+)','(\t+)','(%0A+)','(%0D+)','(%08+)','(%09+)');
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)) {
	return true;
}
else {
	return false;
}
}

// Build the email (replace the address in the $to section with your own)
$to = '[email protected]';
$subject = "Secure contact form message from: $name";
$message = "$name said: $message";
$headers = "From: $email";

// field validation
if ($subject=="" || $message=="" || $name=="")
{
print ("All form fields are required. Please go back and try again.");
}
else {
// email validation
if(!eregi('^([._a-z0-9-]+[._a-z0-9-]*)@(([a-z0-9-]+\.)*([a-z0-9-]+)(\.[a-z]{2,3})?)$', $email)) 
{
print ("Your email address does not appear to be valid. Please go back and try again.");
exit;
}

// Send the mail using PHPs mail() function
mail(isInjected($to), isInjected($subject), isInjected($message), isInjected($headers));

// Redirect
header('Location: ../submitted.php');
}
?>

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.