Lambneck Posted March 7, 2011 Share Posted March 7, 2011 Hi, I am just looking for some input on how I could make this form processing script more secure. In fact extremely secure. Like the most secure server side filtering can get! <?php // Mail header removal function remove_headers($string) { $headers = array( "/to\:/i", "/from\:/i", "/bcc\:/i", "/cc\:/i", "/Content\-Transfer\-Encoding\:/i", "/Content\-Type\:/i", "/Mime\-Version\:/i" ); if (preg_replace($headers, '', $string) == $string) { return $string; } else { die('Spam much?'); } } // Build the email $to = '[email protected]'; $subject = "Secure contact form message from: $subject"; $message = "$name said: $message"; $headers = "From: $email"; // field validation if ($subject=="" || $message=="" || $name=="") { print ("All form fields are required. Please go back and try again."); } else { // email validation if(!eregi('^([._a-z0-9-]+[._a-z0-9-]*)@(([a-z0-9-]+\.)*([a-z0-9-]+)(\.[a-z]{2,3})?)$', $email)) { print ("Your email address does not appear to be valid. Please go back and try again."); exit; } // Send the mail mail($to, $subject, $message, $headers); // Redirect header('Location: ../submitted.php'); } ?> Link to comment https://forums.phpfreaks.com/topic/229833-secure-form-processing/ Share on other sites More sharing options...
cunoodle2 Posted March 7, 2011 Share Posted March 7, 2011 I don't ever see you calling the function "remove_headers" and/or passing anything through it. Am I missing something? I would also look into your sanitizing/cleaning of variables from your forms. What do you have in place for that? Link to comment https://forums.phpfreaks.com/topic/229833-secure-form-processing/#findComment-1183839 Share on other sites More sharing options...
Lambneck Posted March 7, 2011 Author Share Posted March 7, 2011 Would it be effective if instead of relying on the remove_headers function to use: <?php if ( preg_match( "/[\r\n]/", $name ) || preg_match( "/[\r\n]/", $email ) ) { header('Location: ../fail.php'); } ?> Or can they be used together for double the security!? Link to comment https://forums.phpfreaks.com/topic/229833-secure-form-processing/#findComment-1183873 Share on other sites More sharing options...
Lambneck Posted March 7, 2011 Author Share Posted March 7, 2011 Ok updated. Now at a quick glance can anyone find any loose ends or insecurity potentialities that could use attention? securest mail script: <?php // Mail header removal function isInjected($str) { $injections = array('(\n+)','(\r+)','(\t+)','(%0A+)','(%0D+)','(%08+)','(%09+)'); $inject = join('|', $injections); $inject = "/$inject/i"; if(preg_match($inject,$str)) { return true; } else { return false; } } // Build the email (replace the address in the $to section with your own) $to = '[email protected]'; $subject = "Secure contact form message from: $name"; $message = "$name said: $message"; $headers = "From: $email"; // field validation if ($subject=="" || $message=="" || $name=="") { print ("All form fields are required. Please go back and try again."); } else { // email validation if(!eregi('^([._a-z0-9-]+[._a-z0-9-]*)@(([a-z0-9-]+\.)*([a-z0-9-]+)(\.[a-z]{2,3})?)$', $email)) { print ("Your email address does not appear to be valid. Please go back and try again."); exit; } // Send the mail using PHPs mail() function mail(isInjected($to), isInjected($subject), isInjected($message), isInjected($headers)); // Redirect header('Location: ../submitted.php'); } ?> Link to comment https://forums.phpfreaks.com/topic/229833-secure-form-processing/#findComment-1184110 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.