Secure Contact Form

[fri3ndly]

Hello there.

I have recently made a contact form to assist my flash website and the variables are recognised using PHP (which I am very new to).

The form works great...BUT...I have recently been called by my web host and told that the form is not secure and could easily be changed and used by spammers. They said the PHP form needs some validation.

The Flash form already has validation before it can be sent, but they said that somebody could easily take the php page and change the headers??:o

[b]Please can somebody help me!!! I would be most greatful!!!!![/b]


Please find below the scripts I have used, first in flash and then the PHP script:


[u][b]FLASH:[/b][/u]
[color=blue][code]on (rollOver) {
submit.gotoAndPlay(2);
}
on (rollOut) {
submit.gotoAndPlay(10);
}
on (release) {
    if (!email.length || email.indexOf("@") == -1 || email.indexOf(".") == -1) {
EmailStatus = "Enter a valid e-mail address!";
}
else if (!tocomment.length) {
EmailStatus = "Please enter your message!";
}
else if (!firstname.length) {
EmailStatus = "Please enter your name!";
}
else {
loadVariablesNum("flashmail.php", "0", "POST");
        EmailStatus = "Thank you!";

}
}
on (release) {
if (EmailStatus == "Thank you!") {
firstname = "";
email = "";
tocomment = "";
}
}[/code][/color]

[u][b]PHP:[/b][/u]
[color=red][code]<?
$ToEmail = "myemail@myemail.com";

##$ToName = "WebSite";
$ToSubject = "Message From Web Visitor";

$EmailBody = "Sent By: ".$_POST['firstname']."\nSenders Email: ".$_POST['email']."\n\nMessage Sent:\n".$_POST['tocomment']."\n\n";

echo $EmailFooter="\nThis message was sent by: ".$_POST['firstname']." from ".$_SERVER['REMOTE_ADDR']." If you feel that you recieved this e-mail by accident please contact us at www.website.com";

$Message = $EmailBody.$EmailFooter;

mail($ToName." <".$ToEmail.">",$ToSubject, $Message, "From: ".$_POST['firstname']." <".$_POST['email'].">" . "\r\n" . "X-Mailer: PHP/" . phpversion());


Print "EmailStatus=Complete - Your mail has been sent";

?>
[/code][/color]

:D

[Cep]

They are correct, any client side output (your html form) can be ripped and mimic'd by a user to send different data back to your script. PHP validation is a means of testing what data has been passed back to your script and stopping anything potential incorrect or dangerous.

For example if in your forms subject field if I typed in the following line,

[code=php:0]
$headers .= 'Bcc: birthdaycheck@example.com' . "\r\n";
[/code]

I could add a new header which would direct the email to someone else. Spammers would use this by including large lines of  additional emails. So to validate your input you would use string functions to most likely search and replace any dangerous inputs. These are especially true if your script refers back to a database where extra SQL statements can be insterted and allow the attacker to drop your database, get full permissions etc etc.

[taith]

i'm not sure about flash loaded php... but you can always try to use the referrer on the php...
[code]
<?
function get_referrer(){
if(!$ref=@$HTTP_REFERER) $ref=$_SERVER['HTTP_REFERER'];
return $ref;
}

if(get_referrer()=="yourwebpagehere.swf"){
#rest of your code
}
?>
[/code]

that much said... i'm not sure if you load php from flash, that you'll get the right referrer... just an idea...

[fri3ndly]

Ok cool,

So is the referrer the domain name and page (ie. http://www.mywebsite.com/contact.html)?


Flash document does not contain any php, its contact form variables just match the variables that are in 'flashmail.php' and it then sends all the info to the given e-mail.

Thanks for your comments so far guys. Need to get to the bottom of this as they said I had until Friday (TODAY) before they deleted all the scripts  lol ::)

[taith]

exactly... if the flash is loading the php seperatly... which i'm pretty sure it does... it "should" set the current webpage to the referrer, so if you just drop the current url into the php, it "should" work...

[fri3ndly]

Ok cool, well il change that, test it works and then contact the host to see if this is enough validation to keep their hair on.

Thanks ppl, you might hear from me soon tho ;D