Forum Moderators: coopster
Could you please point me in the right direction for secure coding for website forms?
Many thanks
2) Check that "MIME-Version:" doesn't appear in his input.
3) Check that "<a href=" doesn't appear in his input.
That virtually eliminates spam from my contact forms.
You can make a list of characters, such as [a-zA-Z0-9_.@] and reject all messages containing any others in the to/from/reply-to/cc/bcc headers. Check to make sure you don't find those reply-to/cc/bcc headers if your form does not ask for them and/or create them. And check to make sure there are no newlines in any of the expected headers, either, as this is an easy way to abuse forms. Then filter the message body as well, with a somewhat-more-permissive list of acceptable characters.
Jim
I'm a newbie at PHP and used David Power's (PHP for DW8) to code the form. I've had no problems with the forms in the past and I think the book is great but this time the client insisted on a From: and Reply-to: for his form which involved me implementing the Additional Headers.
All other things being equal, is that likely to be the source of the problem?
you should check the number of @ signs in your TO field before sending email, it must be one, you should check it for BCC and CC also if you have those in your form.
Additionally you should check your mail logs to check the number of outgoing emails and ONE MORE THING you must check is that whether it is really your form causing the extra outgoing emails or some other script on your server because sometimes spammers succeed to throw a script on your server which helps them send emails especially in case you are using wordpress kinda softwares.
