StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POIn securing simple email contact form
text
Body
copied!<p>I have very basic PHP skills. As it stands, I'm trying to "reverse" engineer a contact form I found line that has some level security (I truthfully don't know how good it is). I think I got it, it works, but I just thought maybe some of you more experience in php can glance it over and see if it's actually still secure.</p> <p>As I said, I reverse engineered it, so I don't know if I broke the security, but it does work just fine. As you can see it's pretty basic. I've been reading a lot and learning about what everything does, just worried about ordering and redundancy (want to avoid it if necessary)... basically anything I can do to clean it up as much as I can.</p> <p>Code below:</p> <pre><code><?php $to='my@mail.com'; $sender=stripslashes($_POST['sender']); $email=stripslashes($_POST['email']); $subject=stripslashes($_POST['subject']); $message=stripslashes($_POST['message']); $body= "Greetings,\n\n$message\n\n$sender" . "\n" ; $displayForm=true; if ($_POST){ $sender=($_POST['sender']); $email=($_POST['email']); $subject=($_POST['subject']); $message=($_POST['message']); $valid=eregi('^([0-9a-z]+[-._+&])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$email); $crack=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$sender); $crack=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$message); if ($sender && $email && $message && $valid && !$crack){ if (mail($to,$subject,$body,'From: '.$email."\r\n")){ $displayForm=false; ?> <div>Your message has been sent successfully. Thank you for contacting us.</div> <?php echo '<p>'.htmlspecialchars($message).'</p>'; }else { ?> <div>Your message could not be sent due to a system error. We apologize for any inconvenience.</div> <?php } }else if ($crack){ ?> <div>Your message contained one or more anomalies, indicative of malicious content. Please consider revising your wicked ways.</div> <?php }else { ?> <div>You failed to complete a required field, or to provide a valid email address.</div> <?php } } if ($displayForm){ ?> <form action="./" method="post"> <div class="contact-border"><input class="contact-textbox" type="text" name="sender" id="sender" tabindex="1" value="<?php echo htmlspecialchars($sender); ?>" /> <strong> Name</strong></div> <div class="contact-border"><input class="contact-textbox" type="text" name="email" id="email" tabindex="2" value="<?php echo htmlspecialchars($email); ?>" /> <strong> Email Address</strong></div> <div class="contact-border-noreq"><input class="contact-textbox-noreq" type="text" name="subject" id="subject" tabindex="3" value="<?php echo htmlspecialchars($subject); ?>" /> <strong> Subject (optional)</strong></div> <div class="contact-border"><textarea class="contact-textbox" name="message" id="message" cols="90" rows="15" tabindex="4" ><?php echo htmlspecialchars($message); ?></textarea></div> <div><input class="submit-button" type="submit" value="Submit" name="submit" /></div> </form> <?php } ?> </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload