I have a few forms that are sent to a simple php script that I wrote. It just sends me the user input.
My question is:
What are the best ways to protect it from abuse?
Also, would I be better off grabbing an off the shelf script instead?
to get the most security, keep in mind that any variable can be filled with any value possible. you can't count on the form (size limitations or such), you've to count on your php. off the shelf is quick and easy but you don't know if it's secure or not (read the docs about security and php anyway). to write a script on your own is not that hard for a form to mail thingy at all.
here are my 2 cents:
- check all incoming values
- disable register globals (not such a need, but checkout that feature)
- don't put the email into a hidden field value, put it into the script.
-hakre
