# do you try to break it yourself by faking header injection? If so how?

# do you have an automated programm that a spammer would use that tries to break it? If so did you build it yourself or did you find it online?

to answer both points will be a crime itself to leave sufficient information to teach one how to break openly even if he didn't know it before ;)

if you can check your server log then you can monitor the number of outgoing emails and that will give you a good idea if anything using your server resources to send their spams...

use a real captcha instead of a hardcoded question... the value should be an image, it should change randomly, take the values to the next page in sessions or cookies rather than a hidden form field...

do not allow user to mention TO field of MAIL and also I think that subject of the email should also be hard coded..

Tons of security could be added
A few years ago my forms were about a few lines long
Now they contains a few includes and are hundreds of line long :)

Check for well formed input:
is the email, URL, phone, ZIP etc formed as they are supposed to)
regex acceptable characters (EX: if phone #; NO Alpha Char)

Use eregi to check against terms such as DROP, UNLINK etc...

Disallow {}[] and whatever you need to

But the headaches comes when you need to filter but
need to allow for pasting from MS :)

Important is to use strlen() for defining an acceptable STR LENGTH corresponding to your DB field
minus 1 or 2 char(As per Jatar_k)

I check also for vulgar/bad words

Next I am also concerned with the user location

So I checked its IP (I disallow IP range from a few countries depending on a client specific needs) and also upon Countries well known for spam and worst.if the user is required to post its email address, I fully check it
And use also getmxrr()

If a DN is posted I modified a DN availability checker to verify if the DN exists or if it is a faked one

<edit>
Keep adding
</edit>

if you do some searching you can find examples of header/sql injection and all kinds of hacks, I don't think we can post any of those sites but they are around.

You can use some of these patterns to test.

mainly if you are very strict about what chars you let through and don't try to fix any user data, just spit it back at them, then you will do pretty well.

I use a custom log for most validation so that I can see what people are enteing and what passes and fails, this helps to better profile your validation routines.

Thanks for all your answers so far

>phparion - I will check to see if I have access to server logs re mail

use a real captcha instead of a hardcoded question... the value should be an image, it should change randomly, take the values to the next page in sessions or cookies rather than a hidden form field...

I have chosen to use hard coded because I found captchas quite hard to read (well that's what's they're for) - the result of the calculation is hashed and put in a session var.

subject of the email should also be hard coded..

Subject is currently hard coded.

>henry0

A few years ago my forms were about a few lines long. Now they contains a few includes and are hundreds of line long happy!

I know what you mean my current checking script is 150+ lines long, but my form is very simple (a dozen fields)

Check for well formed input:
is the email, URL, phone, ZIP etc formed as they are supposed to) regex acceptable characters (EX: if phone #; NO Alpha Char)

Yes that's what I did for the variables I knew the format of (like phone and email) and I used a restrictive check (switch) for all the known values of variables.

I just mail this script at the moment but might end up with a db so thanks for the db related advices.

Disallow {}[] and whatever you need to

I use htmlentities to further 'clean' all the data once it's passed the initial checks.

Next I am also concerned with the user location
So I checked its IP (I disallow IP range from a few countries depending on a client specific needs) and also upon Countries well known for spam and worst.if the user is required to post its email address, I fully check it

If the form get abused, I will move on to that - I send the IP address along with each succesfull mail

>jatar_k

mainly if you are very strict about what chars you let through and don't try to fix any user data, just spit it back at them, then you will do pretty well.

Yep I do that ... I think

I use a custom log for most validation so that I can see what people are enteing and what passes and fails, this helps to better profile your validation routines.

I'd love to hear more about that.

ps. could a mod fix the url in my original post the . at the end went into the url and causes an error

custom log

just make a log file somewhere and for each failure you can log what part of your tests the data failed and what data was submitted by the user. You can log the full raw data that passed as well, though I usually only keep this on for a little while as it can create some huge logs in a hurry.

This can also help you better understand user behaviour.

custom log

Wow, that's one of those things that's so obvious it's obscure. I've got a site that relies heavily on multi-page forms for account creation.

A log script of rejected input would no doubt help me to improve conversions and user experience.

Thanks jatar_k!