PDA

View Full Version : PHP Form Security



Paper Shredder Clay
09-25-2009, 12:05 PM
Can someone provide me with good php sites? I want to create a good solidly secure contact form page but want to be sure it doesn't get hijack to send out spam.

Thanks.

billbenson
09-25-2009, 12:28 PM
What kind of form is it? Does it just collect emails or other information? Are you going to write it or are you looking for a script.

There is a simple php command for removing html tags entered into forms, but thats not usually enough. You can use regular expressions to validate entries, but they can get ugly real fast.

You want to validate forms server side. You can also validate client side using JavaScript, but this is more for visitor convenience than security.

Paper Shredder Clay
09-25-2009, 12:33 PM
Thanks for the quick reply. It will be a general feedback, comment form with address, email, phone, drop down selections for interest and a comment field. Also another related question, what do you need to do to secure a search box field?


What kind of form is it? Does it just collect emails or other information? Are you going to write it or are you looking for a script.

There is a simple php command for removing html tags entered into forms, but thats not usually enough. You can use regular expressions to validate entries, but they can get ugly real fast.

billbenson
09-25-2009, 12:38 PM
Are you going to write this, or are you looking for a canned script?

Paper Shredder Clay
09-25-2009, 12:42 PM
Are you going to write this, or are you looking for a canned script?

Sorry, no, I would like to write it myself.

rezzy
09-25-2009, 12:52 PM
Depending on whee you want this to go, I would strongly advise you have someone else check your script. In the web business we always believe trust no one, every input into a system needs to be checked and rechecked. Hackers are very resourceful people and through more methods then you know, they can try to attack vulnerability in your script.

With that said, if you intend to just email yourself the info, there is a lower risk, IMO, of something going wrong. Outside of being attacked with spam emails.

If you are intending on submitting information to a database, be very careful. Every input MUST be filtered/ checked/ scanned/ and more. Otherwise, you could have a nasty situation on your hand.

Where are hoping to store that information?

Paper Shredder Clay
09-25-2009, 12:56 PM
Well, ideally a MySQL database, but in the meantime, just an email to myself.


Depending on whee you want this to go, I would strongly advise you have someone else check your script. In the web business we always believe trust no one, every input into a system needs to be checked and rechecked. Hackers are very resourceful people and through more methods then you know, they can try to attack vulnerability in your script.

With that said, if you intend to just email yourself the info, there is a lower risk, IMO, of something going wrong. Outside of being attacked with spam emails.

If you are intending on submitting information to a database, be very careful. Every input MUST be filtered/ checked/ scanned/ and more. Otherwise, you could have a nasty situation on your hand.

Where are hoping to store that information?

rezzy
09-25-2009, 01:09 PM
Well, ideally a MySQL database, but in the meantime, just an email to myself.

Here is a link to the email. PHP Email (http://www.thesitewizard.com/archive/feedbackphp.shtml)
Thats a basic script that I found quickly to help you along.

If you want to jump into MySQL stuff. I am not sure of your level of understanding in programming the realm. I will outline the steps.

1. Install a development system on your laptop/desktop, you dont want to program on a server
2. Create DB with associated fields
3. Create script
4. Test

Upload to server and create db entries and release to the world. If this is something you dont mind learning or doing, I can pass along some guides.

billbenson
09-25-2009, 01:10 PM
Here's an overview at wikipedia
SQL injection - Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/SQL_injection)

I would also do some searches for form scripts on Google and look at the code they use for the types of fields you need to protect.

Here's one again a wiki on regular expressions
Regular expression - Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/Regular_expressions)

The easiest thing to do is find a regular expression for filtering that meets your needs and use it. Writing them on your own can get complicated fast.

Paper Shredder Clay
09-25-2009, 01:37 PM
I have experience with PHP and MySQL, just wanting to learn more about security.

Thanks for the tips.

vangogh
09-26-2009, 12:01 AM
Here are a couple of posts I've bookmarked on forms and security

Sanitize and Validate Data with PHP Filters (http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/)
Serious Form Security (http://css-tricks.com/serious-form-security/)

The most important thing is to sanitize the input. Rule #1 is never to trust any data that comes through the browser. Even something like a drop down where you might think the responses are only the ones you've set up can be changed. If you make sure to check all the data that comes through the form before doing anything you've won most of the battle.

bacterozoid
09-26-2009, 10:52 AM
If it's just sending an email and not storing any data, just use some sort of "human test" to prevent bots from submitting the form. Avoid using a CAPTCHA phrase - those are annoying. You may also be able to use some fancy javascript form submission technique - although I haven't had a chance to look into these myself.

As far as security goes: Anytime you have user input through $_POST, $_GET, etc, create a foreach loop that calls mysql_real_escape_string on all elements of that array.

When you display stuff from a database, call htmlentities on the data you display to prevent users from adding javascripts and stuff to your database which can then mess things up when it's displayed.

Paper Shredder Clay
09-28-2009, 11:14 AM
I've seen that before that you should check even drop down variables. How is it that someone can change them even when you aren't using the method that shows up in the url?


Here are a couple of posts I've bookmarked on forms and security

Sanitize and Validate Data with PHP Filters (http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/)
Serious Form Security (http://css-tricks.com/serious-form-security/)

The most important thing is to sanitize the input. Rule #1 is never to trust any data that comes through the browser. Even something like a drop down where you might think the responses are only the ones you've set up can be changed. If you make sure to check all the data that comes through the form before doing anything you've won most of the battle.

bacterozoid
09-28-2009, 11:20 AM
How is it that someone can change them even when you aren't using the method that shows up in the url?

There are tons of ways to change the source code of a web page. For example, I use a Firefox extension called Firebug for development. It lets me change ANYTHING I want on the page. (Excluding server side code, like PHP). So I could change a dropdown value to be anything (like a SQL injection attack string), then submit the page. If you don't have code on your server to protect against that, you are vulnerable.

vangogh
09-28-2009, 12:01 PM
Yep. Another way is to simply download the source of your page, rewrite the code to include any options I want, and load the page locally on my computer or even another server somewhere online. As long as the form points back to your page for processing it anything can be sent to the processing page.

rezzy
09-29-2009, 03:55 PM
On top of that, web bots, dont use your form, they submit directly to your code. Assume that anything coming in can be dirty and filter it, and if needed use regualr expressions to make sure its information thats formated how you wanted.

When receiving emails or phones numbers etc.