php form validator and security help

[Bethrezen]

hi all

 

I'd like to add a contact form to the site I been building

 

http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/Index.php

 

but I'm very new to php and I lack the knowlage to build a form validator my self I have already constructed the front end

 

http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/index.php?page=Contact

 

but now I need the back end php to power it and I was wondering if any one can help

 

also I could do with some help making sure the php that makes my my site is secure so that should my site come under attack it will remain safe unfortunately I lack the necessary knowledge to do this my self so again I'd be grateful if someone could help

[darkfreaks]

use strip_tags mysql_real_escape_string and trim

[Bethrezen]

use strip_tags mysql_real_escape_string and trim

 

and I do this how ???

 

like I said I'm really new to php so it would be helpful if you could walk me through it

[darkfreaks]

<?php

$comment= $_POST[comment];
$comment= striptags(trim(mysql_real_escape_string($comment)));?>

[Bethrezen]

hi

 

i'm sorry you lost me what is that for ?? and what do I do with it ??

 

like I said im really knew to php so you going to need to explain things

[darkfreaks]

<?php

$comment= $_POST[comment];///post comment
$comment= strip_tags(trim(mysql_real_escape_string($comment)));
/// removes whitespace disallows special characters and removes PHP and HTML code?>

[Bethrezen]

errr ok I'm lost

 

I still have no idea what that's for or what i'm supposed to do with it

[darkfreaks]

for every field that is posted say you have a comment field that is posted to the database that would escape all special characters and remove white space from the beggining of a string. and also disallow all HTML and PHP code from being entered into the database.

[Bethrezen]

so I take it that's how I would sanitize the user inputs from each field on the the contact form ??

 

so how do I actually go about building the back end script to power my contact form because I really don't know what i'm doing

 

i've tried looking at the php for other peoples contact forms but most of the scripts that power contact forms that I've seen are either so complicated that I don't have a prayer of understanding how they work or the scripts are incomplete and I lack the necessary knowledge to complete them to get something working

[darkfreaks]

what do you mean by "backend" what i have said stops SQL injection

[Bethrezen]

ok obviously there has been a bit of confusion so i'll try and explain

 

normally contact forms are in 2 bits the front end this is the bit the user enters his name email addey and message into and the back end the php script that processes the forms data to ensure that its valid before mailing its contents to me

 

now i already have the front end built the next step is to create the back end script to process the forms to ensure that its contents is valid before sending it to me this ensures that the form can not be abused to spam me or others and it cant be used to get info about the site that could be used to hack it

 

now at the moment the form I've have is none operational if you hit the submit button nothing happens what id like to have happen is for the contents of the form to be checked to make sure its valid if so then allow the submission and email its contents to me

 

if not because for instance a bot is trying to abuse the form then user input is blocked and the form is not submitted and what ever it is they are trying to do gets terminated with an error message something along the lines of bad input

 

unfortunately I don't know how to do this my self and i was hoping that someone here could help me

 

is that a little more clear ??

[darkfreaks]

google some tutorials on PHP mail

 

then you will get exactly what i am saying if its an email form you do not need mysql_real_escape. as there is no database. but strip tags and trim still come in handy.

[Bethrezen]

hi

 

Google some tutorials on PHP mail

 

I think you are missing my point I have tried googling this but most of what I have come up with is either incomplete of so overly complicated that I don't have prayer of understanding it works

 

one good example of this is Creating simple PHP contact form

 

while this might tell me how to create a simple php contact form in a relatively striate forward and understandable fashion the information is incomplete

 

for a start there is no security and anyone with even a modicum of programming experience could hijack that in about 30 seconds which is no good

 

now if I actually had more experience with php this might not be a problem unfortunately I don't I've only been writing php code for all of a month and as such something like this is way beyond my ability to do alone

 

which is why I came here looking for help

[darkfreaks]

you could do something like

 

<?php

if (empty($_POST['comment'])) { echo " Please fill in the form";}

$comment=strip_tags($comment, '<allowed tags>');

?>

what you need is captcha! look it up!

 

 

http://www.puremango.co.uk/cm_php_captcha_script_113.php

[Bethrezen]

what you need is captcha! look it up!

 

arn't you getting a little a head of things ??

 

I need to build the form processor/validator to take the form data and do something meaningful with it first

 

Here is the plan of action I had come up with

 

step: 1

Design a HTML form

 

step: 2

Create a form processor this will take the form data and process it checking that user inputs are correct and that all fields have been filled out before formatting it in to an email and sending to to me

 

step: 3

Add security checks to form processor to ensure that dangerous code is blocked and removed to foil hacking/hijacking attempts

 

step: 4

Add captcha! security to foil spam bots and help prevent spamming

 

step: 5 perform security validation to ensure that code is secure and make sure I haven't left any gaping security holes open

 

I've completed step: 1 and built the html form so now its on to step: 2 building the form processor and this is where I'm presently stuck because I don't know how to do this I've tried gooling it but I haven't been able to find anything particularly helpful

 

most of what I have turned up is either incomplete to complicated or is not sufficiently explained so I am unable to proceed

 

so ideally i need someone to walk me through the creation of the form processor and then help me secure it to prevent hacking/hijacking/spamming

[darkfreaks]

paste your code so we can help you?  maybe that would be a step in the right direction?

[Bethrezen]

hi all

 

OK this is where I'm at right now I've created the front end part of the contact form located here

 

http://h1.ripway.com/Bethrezen/demo/Web-Site-Demo/index.php?page=Contact

 

presently this is none operational because I need to build the form processor this is the back end bit that take the data input into the contact form by the user and then formats it in to an email before sending it to me

 

now using the info on this page http://www.phpeasystep.com/workshopview.php?id=8

 

i have created a really simple form processor here is the code

 

<?php

//Senders Name
$name = "$name";

//Senders Email Address
$mail_from = "$senders-email";

//Subject
$subject = "$subject";

//Questions And Comments
$message = "$message";

//To My Email Address
$destination  = "MyEmail@example.com";

//From header persons name and email address 
$header = "from: $name <$mail_from>";

mail($destination, $subject, $message, $header);

?>

 

now while this might work ok it would be inadvisable to use it in its current form because there is no input validation of any sort

 

so the first check I need to add is to make sure that the form was actually submitted from my site

 

it has been suggested that the most reliable and secure method to do this this is to use a session.

 

so how about we start there and you give me some step by step instructions for adding a session check

 

well assuming that the code above is ok and doesn't need fixing first

[darkfreaks]

<?php

//Senders Name
$name = "$name";

//Senders Email Address
$mail_from = "$senders-email";

//Subject
$subject = "$subject";
$subject= strip_tags($subject);
$subject= trim($subject);

//Questions And Comments
$message = "$message";
$message =strip_tags($message);
$message =trim($message);

//To My Email Address
$destination  = "MyEmail@example.com";

//From header persons name and email address 
$header = "from: $name <$mail_from>";

mail($destination, $subject, $message, $header);

?>

 

 

maybe have a math function for security like

 

<?php 
$secretanswer= $_POST['secretanswer'];

if($secretanswer=="3") { mail;
} else {die ("Cannot mail the answer is wrong");}?>

 

 

also make a html input for secret answer like

 

Whatis the square root of 9?<input name="secretanswer" type="text">

[darkfreaks]

so your saying you havent used _POST as the submit type? well you should use it better than sessions in this case.

[SammyGunnz]

I think you're missing the point.

 

While people here want to help, you're going to have to understand the basics of PHP before you can comprehend how to use the examples of code people are showing you. A basic understanding is necessary. Sometimes, taking shortcuts and trying to grab snippets of ready-made code and simply pasting them, will actually make the process longer and much more confusing. You're better off starting with the most elementary PHP tutorial and start grasping how it all ties together. Then it will all make sense and you'll be a happy camper.

[SammyGunnz]

Oh, one last thing...

 

Make sure to not assume register globals will be enabled. To retrieve values from a form, use $_POST...

 

<?php

  $fname = $_POST['fname']; //First Name
  $lname = $_POST['lname']; //Last Name / Surname

?>

[Bethrezen]

I think you're missing the point.

 

While people here want to help, you're going to have to understand the basics of PHP before you can comprehend how to use the examples of code people are showing you. A basic understanding is necessary. Sometimes, taking shortcuts and trying to grab snippets of ready-made code and simply pasting them, will actually make the process longer and much more confusing. You're better off starting with the most elementary PHP tutorial and start grasping how it all ties together. Then it will all make sense and you'll be a happy camper.

 

this is why I asked if someone would be willing to walk me through this step by step explaining things as we go

 

Now while I can appreciate that some basic knowledge/understanding of php is required for this process I learn best by having a go

 

books and book like approaches to things are no good they don't work for me because they aren't interactive if I don't understand something or if something isn't working like I should because I have made a mistake I cant ask questions

 

I've always learned quicker and easer by having a go and getting someone who knows what there doing to guide me

 

with this in mind apply this methodology to the current project building a contact form processor

 

so

 

step1 creates a blank text file and name it processor.php

 

step 2 add our opening and closing php tags

 

step 3 is what ??

 

define some variables for each of the input boxes ? so that the we can call each of input boxes and collect the data that has been entered

 

if that's the case then the script should look like this at this point yes/no ??

 

<?php

//Senders Name
$name = "";

//Senders Email Address
$mail_from = "";

//Subject
$subject = "";

//Questions And Comments
$message = "";

?>

 

step 4 would be what ??

 

link each of my variables to one of the input boxes on the form by inserting the name identifier from each of the fields in-between the double quotes

 

if that's the case then the script should look like this at this point yes/no ??

 

<?php

//Senders Name
$name = "$name";

//Senders Email Address
$mail_from = "$email";

//Subject
$subject = "$subject";

//Questions And Comments
$message = "$message";

?>

 

now you see how things are flowing here nice simple easy to follow steps each step building on the last everything explained as we go and only relevant info for each step is given so as not to cause confusion

 

now I realise that people here are probably reluctant to walk me through this in this fashion for obvious reasons but given my lack of experience this is probable the only way I'm going to make any progress

 

i can do most of the work but i need to know what I'm supposed to do first

 

keep it simple small easy to follow step by step instructions and where appropriate example code and explanations

 

so your saying you haven't used _POST as the submit type?

 

?? I am using method="post" why would i use method="get" when post is more secure because variable names and values aren't displayed in the URL

[sKunKbad]

Just go to tectite.com and download their formmail program. It does everything you need, and if it doesn't, you can add hooks.

[Bethrezen]

Just go to tectite.com and download their formmail program. It does everything you need, and if it doesn't, you can add hooks.

 

I could do that I mean it's certainly an option but would I learn form doing that ?? nothing

 

having finished code to look to is good if you understand what it is you are looking at but look at but I don't which was the whole point of my wanting to write my own code so that I can learn

 

if people here aren't willing to help me then that's fine I guess I'll just have to struggle along on my own as best as I can

 

either way it makes little difference to me one way or another I'm determined to do this my self

[sKunKbad]

I don't want to discourage you from learning php, its just that as a web designer, I'm better off not wasting time. When the wheel exists, I don't reinvent it. The tectite formmail is awesome, and is at least a couple thousand lines of code. If you want to learn, you should download it anyways just to see how it works.