Form Security

[TimUSA]

Hello all! This is really the first time I have ever really had to deal with this, but I have a form that will be open to the public and want to make it more secure against injection. I dont really know how to do this. This is the code I have so far for the processing:

echo'
<link href="event/styles.css" media="screen" rel="Stylesheet" type="text/css" />';
$process = true;
if (isset($_POST['form1'])) {
foreach($_POST as $value) {
	if ($value == "") {
		echo "You have not filled in all the fields. Please return to the previous page.<br>\n";
		$process = false;		
		exit();
	}
}
if (!ereg("[A-Za-z' -]{1,50}", $_POST['real_name'])) {
	echo'
	One or more fields have information that appears to be incorrect. Please correct the format for:<br>
	<b>Real Name</b> may only contain letters, \' , or -<br>';
	$process = false;
}
if (!ereg("[A-Za-z' -]{1,50}", $_POST['boat_name'])) {
	echo'
	One or more fields have information that appears to be incorrect. Please correct the format for:<br>
	<b>VSK Boat Name</b> may only contain letters, \' , or -<br>';
	$process = false;
}
if (ereg("[^0-9]",$_POST['rank'])) {
	echo'
	One or more fields have information that appears to be incorrect. Please correct the format for:<br>
	<b>VSK World Ranking</b> may only contain numbers.<br>';
	$process = false;
}
if (!ereg("[A-Za-z' -]{1,50}", $_POST['club'])) {
echo'
	One or more fields have information that appears to be incorrect. Please correct the format for:<br>
	<b>Home Club</b> may only contain letters, \' , or -<br>';
	$process = false;
}
if (!ereg("[A-Za-z' -]{1,3}", $_POST['country'])) {
	echo'
	One or more fields have information that appears to be incorrect. Please correct the format for:<br>
	<b>ISAF Country Code</b> may only contain three letters.<br>';
	$process = false;
}
if (ereg("[^0-9]",$_POST['sail'])) {
	echo'
	One or more fields have information that appears to be incorrect. Please correct the format for:<br>
	<b>Sail Number</b> may only contain numbers.<br>';
	$process = false;
}
$pattern = "^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$";
      if (!eregi($pattern, $_POST['email'])){
         echo "Invalid e-mail address<br>";
         $process = false;
      }
      if (!eregi($pattern, $_POST['admin'])){
         echo "Invalid e-mail Club Admin address<br>";
         $process = false;
      }    
if ($process == false){
	echo'
	<div id="content">Please correct your errors.</div>
		<form action="'.$scripturl.'?page=243'.$get['page'].'" method="post">
		<input name="form1" type="hidden" value="TRUE" />
			<div id="form">Real Name:<br><input id="real_name" name="real_name" type="text" value="' . $_POST['real_name'] . '" size="60" maxlength="50" /></div>
			<div id="form">VSK Boat Name:<br><input id="boat_name" name="boat_name" type="text" value="' . $_POST['boat_name'] . '" size="60" maxlength="50" /></div>
			<div id="form">VSK World Ranking:<br><input id="rank" name="rank" type="text" value="' . $_POST['rank'] . '" size="60" maxlength="50" /></div>
			<div id="form">Email Address:<br><input id="email" name="email" type="text" value="' . $_POST['email'] . '" size="60" maxlength="50" /></div>
			<div id="form">Full Club Name:<br><input id="club" name="club" type="text" value="' . $_POST['club'] . '" size="60" maxlength="50" /></div>
			<div id="form">Club Admin Email: (Verification of Membership)<br><input id="admin" name="admin" type="text" value="' . $_POST['admin'] . '" size="60" maxlength="50" /></div>
			<div id="form">ISAF Country Code: <a href="http://www.sailing.org/countrycodes.php" target="_blank">Link to ISAF Country Codes</a><br><input id="country" name="country" type="text" value="' . $_POST['country'] . '" size="60" maxlength="50" /></div>
			<div id="form">Sail Number:<br>*Sail Numbers will be assigned to all non-AYC members.<br>
			<input id="sail" name="sail" type="text" value="' . $_POST['sail'] . '" size="60" maxlength="50" /></div>
			<div id="form"><input type="submit" value="Submit Registration">   <input type="reset" value="Reset"></div>
			</form>';
}
if ($process == true) {
	$aycmail = "[email protected]";
	$adminmail = $_POST['admin'];
	$entrymail = $_POST['email'];
	$subject1 = 'Registration for ' . $_POST['event'] . ' by ' . $_POST['real_name'];
	$body1 = '
	A registration has been submitted by ' . $_POST['real_name'] . ' 
	for the ' . $_POST['event'] . ':

	Real Name: ' . $_POST['real_name'] . '
	VSK Boat Name: ' . $_POST['boat_name'] . '
	VSK World Ranking: ' . $_POST['rank'] . '
	Email: ' . $_POST['email'] . '
	VSK Club: ' . $_POST['club'] . '
	Club Admin: ' . $_POST['admin'] . '
	VSK Club: ' . $_POST['club'] . '
	ISAF Country Code: ' . $_POST['country'] . '
	Sail Number: ' . $_POST['sail'];

	$body2 = '
	Your registration has been recieved for the ' . $_POST['event'] . ':

	Real Name: ' . $_POST['real_name'] . '
	VSK Boat Name: ' . $_POST['boat_name'] . '
	VSK World Ranking: ' . $_POST['rank'] . '
	Email: ' . $_POST['email'] . '
	VSK Club: ' . $_POST['club'] . '
	Club Admin: ' . $_POST['admin'] . '
	VSK Club: ' . $_POST['club'] . '
	ISAF Country Code: ' . $_POST['country'] . '
	Sail Number: ' . $_POST['sail'];

	$body3 = '
	A registration has been submitted by ' . $_POST['real_name'] . ' 
	for the ' . $_POST['event'] . ':

	Real Name: ' . $_POST['real_name'] . '
	VSK Boat Name: ' . $_POST['boat_name'] . '
	VSK World Ranking: ' . $_POST['rank'] . '
	Email: ' . $_POST['email'] . '
	VSK Club: ' . $_POST['club'] . '
	Club Admin: ' . $_POST['admin'] . '
	VSK Club: ' . $_POST['club'] . '
	ISAF Country Code: ' . $_POST['country'] . '
	Sail Number: ' . $_POST['sail'] . '

	Please comfirm membership at the ' . $_POST['club'] . '
	by replying to ' . $aycmail;

	mail($aycmail,$subject1,$body1);
	mail($entrymail,$subject1,$body2);
	mail($adminmail,$subject1,$body3);

	echo'
	<div id="content">Your registration has been recieved. You will recieve an email to confirming reciept of your registration.</div>
	<div id="content">The administrator of your Home Club must verify your membership before registration is completed.</div>
	<div id="content">Upon verification of membership, you will recieve an email to confirm your registration.</div>'; 
}
}	

[soycharliente]

What type of injections are you talking about? You aren't posting anything to a db. This is what I use for my $_POST array:

<?php
function myEscape($string)
{
dbconnect();
$str = get_magic_quotes_gpc() ? stripslashes($string) : $string;
$new = mysql_real_escape_string($str);
dbclose();
return $new;
}

if (isset($_POST)) {
foreach ($_POST as $key => $val) {
	$_POST[$key] = myEscape($val);
}
}
?>

 

I see you're using

if ($value == "")

look into using

if (empty($value))

as empty() will test for multiple types of NULL input.

 

Your email pattern fails for an email address with a 4+ letter tld. Of which there are 11 according to this Wikipedia article.

[TimUSA]

What type of injections are you talking about? You aren't posting anything to a db. This is what I use for my $_POST array:

 

That was my concern.

If this is not posting to a DB do i have to worry about injection?

Are their any other security issues that i need to be concerned with when just having a mail script?

 

Your email pattern fails for an email address with a 4+ letter tld

Suggestions on a working string?

 

 

[soycharliente]

Honestly I don't know how feasible this is but look at the example of:

<?php
$var = $_POST['name'];
$subject = "Hello $var!";
echo $subject;
?>

 

What if as their name they entered "; mysql_query("DROP `table`"); echo " or something. That could be bad if you have a db connection open already. So by escaping the data that is posted, you're ensuring that the literal characters are being passed and it's echoing Hello "; mysql_query("DROP `table`"); echo "! instead of screwing with your code.

 

As far as the email pattern goes, [a-z]{2,3} is just too short. You could easily just make it [a-z]{2,6} or something. I've got my own email pattern that I use.