Using PHP for a mail script - Security? - PHP Server Side Scripting forum at WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Using PHP for a mail script - Security?

What precautions do I need to take?

Aleister

7:15 pm on Oct 20, 2004 (gmt 0)

I have a basic contact form script in PHP, and I am needing to make it a bit more secure.

I have seen stripslashes() used often, but what if the user needs a slash in his comment for some reason?

Basically I am trying to figure out how to process the variables to both keep the script from doing anything bad, and to not 'mess up' what the user types no matter what. Is this possible?

I am not using any sort of database, just a simple form which will mail me what they type.

Thanks for any info!

kumarsena

7:46 pm on Oct 20, 2004 (gmt 0)

have you tried a google search?

'securing html forms wiht php' gave me some interesting results. beside you might wanna take a look at some free scripts out there and see how they implement security.

Aleister

8:13 pm on Oct 20, 2004 (gmt 0)

Well from what I read lately, htmlentities() looks like it could do what I want, but I am just not sure about all cases. I guess there is not really a "standard" way to do this.

kumarsena

8:24 pm on Oct 20, 2004 (gmt 0)

i dont think there is a standard way. its a balance between what u want to allow the user to enter and what u are willing to risk with regards to security. as i said, ur best bet is to look at other popular scripts and see what they do...

dreamcatcher

8:31 pm on Oct 20, 2004 (gmt 0)

Do your e-mails have to be in HTML format? How about just sending plain text e-mails?

Aleister

10:25 pm on Oct 20, 2004 (gmt 0)

That is a good point. I do not really know if I need html at all in them, since I could easily just strip the html tags instead of converting them to output-friendly versions.

The only thing I am thinking about is future expandability. Once I get the script exactly the way I want it, I plan on creating a little program which will generate a custom version of the script based on the users needs. So they can go through and select what kind of fields they want, what kind of 'checking' they want done on them, what features will be included or not etc.. So you never know.. I might someday require a field in the form that may contain slashes or less-than signs or whatever.

dreamcatcher

11:07 pm on Oct 20, 2004 (gmt 0)

When you post form data, PHP automatically escapes what it thinks are problematic quotes if you have magic quotes switched on on your server. If you don`t you would use addslashes. This really is for when you are posting to a database though, which uses apostrophes in its syntax. Because the code has no way of knowing where the data is going when its posted, it functions the same. Hence you have some quotes in your e-mails with a slash before them.

The stripslashes function simply removes those slashes once the data is retrieved. This does not affect anyone using slashes in their messages. It will only remove the slashes that are used to escape problematic quotes. The stripslashes function should always be used when displaying data that has text values from a form, just in case there are any slashes.

Aleister

1:56 pm on Oct 21, 2004 (gmt 0)

I see.. so it is mainly useful if I am sticking the info in a database, but it will not hurt to do it anyway.

I will go ahead and test it with various inputs and see what happens then :)