fri3ndly Posted January 26, 2007 Share Posted January 26, 2007 Hello there.I have recently made a contact form to assist my flash website and the variables are recognised using PHP (which I am very new to).The form works great...BUT...I have recently been called by my web host and told that the form is not secure and could easily be changed and used by spammers. They said the PHP form needs some validation. The Flash form already has validation before it can be sent, but they said that somebody could easily take the php page and change the headers??:o[b]Please can somebody help me!!! I would be most greatful!!!!![/b]Please find below the scripts I have used, first in flash and then the PHP script:[u][b]FLASH:[/b][/u][color=blue][code]on (rollOver) { submit.gotoAndPlay(2);}on (rollOut) { submit.gotoAndPlay(10);}on (release) { if (!email.length || email.indexOf("@") == -1 || email.indexOf(".") == -1) { EmailStatus = "Enter a valid e-mail address!"; } else if (!tocomment.length) { EmailStatus = "Please enter your message!"; } else if (!firstname.length) { EmailStatus = "Please enter your name!"; } else { loadVariablesNum("flashmail.php", "0", "POST"); EmailStatus = "Thank you!"; }}on (release) { if (EmailStatus == "Thank you!") { firstname = ""; email = ""; tocomment = ""; }}[/code][/color][u][b]PHP:[/b][/u][color=red][code]<?$ToEmail = "[email protected]";##$ToName = "WebSite";$ToSubject = "Message From Web Visitor";$EmailBody = "Sent By: ".$_POST['firstname']."\nSenders Email: ".$_POST['email']."\n\nMessage Sent:\n".$_POST['tocomment']."\n\n";echo $EmailFooter="\nThis message was sent by: ".$_POST['firstname']." from ".$_SERVER['REMOTE_ADDR']." If you feel that you recieved this e-mail by accident please contact us at www.website.com";$Message = $EmailBody.$EmailFooter;mail($ToName." <".$ToEmail.">",$ToSubject, $Message, "From: ".$_POST['firstname']." <".$_POST['email'].">" . "\r\n" . "X-Mailer: PHP/" . phpversion());Print "EmailStatus=Complete - Your mail has been sent";?>[/code][/color]:D Link to comment https://forums.phpfreaks.com/topic/35789-secure-contact-form/ Share on other sites More sharing options...
Cep Posted January 26, 2007 Share Posted January 26, 2007 They are correct, any client side output (your html form) can be ripped and mimic'd by a user to send different data back to your script. PHP validation is a means of testing what data has been passed back to your script and stopping anything potential incorrect or dangerous.For example if in your forms subject field if I typed in the following line,[code=php:0]$headers .= 'Bcc: [email protected]' . "\r\n";[/code]I could add a new header which would direct the email to someone else. Spammers would use this by including large lines of additional emails. So to validate your input you would use string functions to most likely search and replace any dangerous inputs. These are especially true if your script refers back to a database where extra SQL statements can be insterted and allow the attacker to drop your database, get full permissions etc etc. Link to comment https://forums.phpfreaks.com/topic/35789-secure-contact-form/#findComment-169613 Share on other sites More sharing options...
taith Posted January 26, 2007 Share Posted January 26, 2007 i'm not sure about flash loaded php... but you can always try to use the referrer on the php...[code]<?function get_referrer(){ if(!$ref=@$HTTP_REFERER) $ref=$_SERVER['HTTP_REFERER']; return $ref;}if(get_referrer()=="yourwebpagehere.swf"){ #rest of your code}?>[/code]that much said... i'm not sure if you load php from flash, that you'll get the right referrer... just an idea... Link to comment https://forums.phpfreaks.com/topic/35789-secure-contact-form/#findComment-169621 Share on other sites More sharing options...
fri3ndly Posted January 26, 2007 Author Share Posted January 26, 2007 Ok cool, So is the referrer the domain name and page (ie. http://www.mywebsite.com/contact.html)?Flash document does not contain any php, its contact form variables just match the variables that are in 'flashmail.php' and it then sends all the info to the given e-mail.Thanks for your comments so far guys. Need to get to the bottom of this as they said I had until Friday (TODAY) before they deleted all the scripts lol ::) Link to comment https://forums.phpfreaks.com/topic/35789-secure-contact-form/#findComment-169626 Share on other sites More sharing options...
taith Posted January 26, 2007 Share Posted January 26, 2007 exactly... if the flash is loading the php seperatly... which i'm pretty sure it does... it "should" set the current webpage to the referrer, so if you just drop the current url into the php, it "should" work... Link to comment https://forums.phpfreaks.com/topic/35789-secure-contact-form/#findComment-169633 Share on other sites More sharing options...
fri3ndly Posted January 26, 2007 Author Share Posted January 26, 2007 Ok cool, well il change that, test it works and then contact the host to see if this is enough validation to keep their hair on.Thanks ppl, you might hear from me soon tho ;D Link to comment https://forums.phpfreaks.com/topic/35789-secure-contact-form/#findComment-169635 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.