Forum Moderators: coopster
So, if someone enters their name in the "name" field, and clicks submit, then the next screen outputs their name.
It's pretty simple.
However, since I plan to put it online, I'm pretty sure that the form can't be used to send out injected spam or anything (since there's no mailing of anything involved), but I've been told that it's possible to enter info in the fields to see what's on *my* server, and possibly use my form to hack into the server.
I know how to check fields for "invalid" info when you're mailing it (check for /r, /n and other assorted nasties), but I don't know what to check for when someone wants to enter input so the form will return sensitive server information.
Would anyone have any tips for me?
A good rule is that it is easier to control what you allow, than listing what you disallow
I doubt somebody could see what is on your server if you just output it (i.e. no user input processing like saving into db/comparison).
And Joel - no, the output is not sent to a database.
What I'm doing is creating an "automated" system for a PHP form I've developed. It took me a couple of years to get it where it is today, and I'm currently working on upgrading the form files. One BIG complaint I've gotten about the forms is that my instructions are hard to understand. I guess I'm not good at "babytalking" when it comes to code ;)
So what I've decided to do is create a form on my site that someone fills out with stuff they want on the form. When they click "submit" they are returned to an HTML page that has the code put up (with their specifications) so they can copy and paste it and save it and use it. That way, no one has to read through my (apparently difficult) instructions to figure out what it is they need to do.
Hope that make sense.
There is no mailing involved, and no connecting to databases. It's just taking the "desires" of the end user and outputting it on the next page in a nice format. But someone mentioned that it would be possible to input bad stuff into the fields, and get my server information. So I wanted to be sure, before I made this live, that everyone was safe - including my host.
So yeah, I'll read up on these articles - I've actually been looking for stuff like this for a long time! - and when I've done what I *think* I can do, I'll post the code so you all can take a peek at it and smack me with "What the hell were you thinking?" ;)
Thank you!
so they will be inserting form element names and you will spit out a form for them to cut and paste
one thing is you could have them select what they want from a list instead of having textboxes. When you accept text input then you have to test it for accepted values.
If you are building forms for them then it should be relatively preset
if it's not then the most important thing will be to test for unacceptable characters
now I understand what you are doingso they will be inserting form element names and you will spit out a form for them to cut and paste
Yep.
one thing is you could have them select what they want from a list instead of having textboxes. When you accept text input then you have to test it for accepted values.If you are building forms for them then it should be relatively preset
Right. The only text that will be entered is the email address they want the form to be sent to, the subject line they want, and the "Name" they want the email to be sent to. That's the only three fields that will actually be user input. The rest is dropdown selections (and when I get to the more complex, then it'll have radio buttons and such - possibly more text fields when they want to send to more than one address - but I want to get the simple one finished first)
But yes, everything else is preset. What they choose from the dropdowns will just be plugged into certain areas of the form script, and same with what text they enter.
if it's not then the most important thing will be to test for unacceptable characters
That's what I need to know to look for. I'm aware of checking for trying to push through headers (to inject), and trying to use forms for spam and how to check for that. (in fact, the form I've created does this as well) I just want to be sure there's nothing they can put in that will allow them to see any "delicate" server settings when they shouldn't. I don't know exactly what I should be looking for to prevent that kind of "injection" attempt. I'm not sure if I should be looking for stuff like $_GET or $_POST, or <?php - I'm just not sure what characters I should be looking for. If I knew that, then I'd know what to do - but that's where I'm stuck.
what is in a name?
all lower case letters
all upper case letters
a hyphen
a space
that's about it, if you get anything else then it's bad data
apply the same thought to the others
email address
all lower case letters
all upper case letters
numbers
a period
a hyphen
an underscore
the subject line they want
this gets a little trickier but you can make a set you allow
punctuation .,:;?"'- (could be some others)
all lower case letters
all upper case letters
you could maybe add a few others
as I said above, if you test the data and something is amiss then it's bad data, don't try to fix it, just send it back to the user to fix
if anyone sees something I left out, please correct my sets :)
if they may post some text allow for = and $ too.
if you really want to be "tough"
You could check on range of IP per country and disallow countries you do not want relationship with
By the same token display their IP and log it in a DB so if needed you can ban it
Email
if you want if I have a decent regex that does well the job
and further I check if the email address is for real by using getmxrr()
Text: for short input like 2, 3 words
I first use strlower() then finish with ucfirst() so it looks better
I really appreciate it :)
I'm finishing up, but I *did* want to mention something (for anyone else who comes along) - in names, you *should* also allow periods and apostrophes.
"Mike St. John" and "Mary O'Brien" are both valid names, and require apostrophes and/or periods. Just thought I'd add that in there.
As for my code..truly, the only one I'm concerned about at this point is the $subject field - the others are strictly checked already. I know I want to be allowing letters, numbers, commas, apostrophes, hyphens, quotation marks, ampersands, semi-colons and colons - but I'm wondering if I should also allow question marks, exclamation points and periods - perhaps parentheses?
I didn't know if that list would leave too much room to put in nasty stuff (I hope not, because when I move into the more complex form, I'll be needing that list, I think). Basically, the $subject field is what the end user types in, and it'll be inserted into the script code as whatever the subject for the email will be.
Do you think just allowing the characters mentioned above allows for too much freedom to do something bad? I can't think of anything - I'm leaving out $, <>, [], {}, and that kind of thing. Basically, I want the end user to have permission to format a complete sentence or question - but I don't want them to be able to insert code of any kind.
Make sure you have register globals set to off. It is really dangerous to have it on.
Register globals *is* off. I've never set a maximum length for a field before. The code I have is like so:
if ($subject!= ""){
if (!eregi("^[-!&\'a-z0-9?\"\'.,;:()]+$", $subject)) {
$subject_error = "1";
$send = "no";
} else {
if(strlen($subject) > $maxlength) {
$subject = substr($subject, 0, $maxlength);
}
}
}
I've also added "maxlength='60'" to the input field for the subject. I'm pretty sure that the $maxlength in the PHP is referring to the "maxlength" in the input field - but like I said, I'm not positive.
Is this correct, and if so, do you think 60 characters is too many?
you want to have the maxlength on fields be the same, or smaller, than the corresponding field in a database. You want to protect from overflow scenarios. I usually make them a couple characters shorter.
You would still need to check length no matter if the maxlength is there though.
