[LUG]Re: submit-message form on website

To: list@xxxxxxxxxxxxx

Subject: [LUG]Re: submit-message form on website

From: Simon Avery <digdilem@xxxxxxxxx>

Date: Wed, 5 Jul 2023 21:28:16 +0100

Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1681290362; h=Content-Type:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Help:List-Id:Subject:Reply-To:To:Message-ID:Date: From:In-Reply-To:References:MIME-Version:Sender:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Archive; bh=zdmWZgt4iLh4nUiZZL/l1DJR5VGGvbJ0hsknX8qcoW4=; b=JE55kuf7QyGLqzIrfbQPPY3a/l 7XFaVoA1dZ1wg3wKNcQ+up7Q39yzAoCqEs6mmoUHGr+l+nRtCOg3vKN8rG9zpsYNL4mmkEDWTgP6k EgwLOrn7S3XkjHDT+Dmd2mdySLuHVguKZk2ruQHQE2e/tuQ5z4EAzIuPMHextHlMta5o=;

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688588933; x=1691180933; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Lba45/ZC8eocvLxlqjJy3aGm9XYcswpV/KD+z6sLukE=; b=PR0CGvBSOW/Qa2KhYRDzKnouCzVbaaRlq9hfLcZ3qbOvlHbO7nB/sGV6ipKC+c58fw TbHG4RYMdPzeUFZOb1bdAWeZJGC4BZq1aOq0wGpWwTP9zccGYtYQLAME/lWeIPgO3yhL 29WNPkxFnCSyyIXykzcCO8PGacO88PCFih7J234Iki1Ob2So3GqYQi9u4hkVtQt9f+bL JzMhgH2fslQ720b4WgYrvKnc+57mKcimpbE6g0EPAZ68yB3OVVMIb6jC8Qf/985LgnxS EMQRcEIPah6WQGMhjeF7+2ElVQLFQqW1HXLMQWlrPr1puTjWKYrv2RyAwmD4tOvO2Z1y Rhvg==

Hi Rich,

PHP web to email forms have a long and murky history - not helped by one of the most popular early ones being very easy to manipulate - and it was! I've no doubt it's still out there in many places and acting as an open relay for thousands of badly intentioned people. I certainly see bots searching for it on my web servers.

The technical side of writing a web form is really very easy, php has email built-in after all, or you can use a local or remote smtp server to send it.

Follow a few basic rules, and ensure you read up on php and web security first (there's lots of good guides out there so I won't repeat them badly here)

DO: Sanitise input.

DO: Hardcode the "To" address, always, to stop it being used as an open gateway.

It will be abused, of course, and almost instantly. Bots are crawling html constantly for any form elements and will try to send spam through them. Why not, it costs them nothing?

But generally - as with all things security - you can never be totally secure. If you have doubts, don't do it, or use one of the many freely available webforms, even if they're commercially operated.

(The first example on your link is horrible - even if just because it doesn't hardcode the from. The first replier has fixed that.)

On Sun, 2 Jul 2023 at 00:27, rds_met <dcglug@xxxxxxxxxxxxxxx> wrote:

Hello all

I found suggested code here:
https://stackoverflow.com/questions/18379238/send-email-with-php-from-html-form-on-submit-with-the-same-script

I copied the coupled html-forms code and PHP code into the two
respective files.
With due edits for my individual details.

It seems to work perfectly.

Anyone comment how
* secure
* etc.
this is?

Best wishes,
Rich Smith

--
The Mailing List for the Devon & Cornwall LUG
FAQ: https://www.dcglug.org.uk/faq/

-- The Mailing List for the Devon & Cornwall LUG FAQ: https://www.dcglug.org.uk/faq/