D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

[LUG]Re: submit-message form on website

 
Hi Rich,

Only have time for a cursory read, but it... looks okay? (Disclaimer: Not a php coder, I just script with it and a few other languages. Perl is more my thing.)

You're right that you don't need to worry about sql injection if you're not using sql. As you're not passing any user strings through to the shell, that shouldn't be an issue either.

Using php's internal email handling and functions seems best for security and speed.

Only observation I've got is that FILTER_SANITIZE_STRING is flagged as 'deprecated' and to use htmlspecialchars instead - so that means it won't keep working forever as php gets upgraded.

Reference: https://www.php.net/manual/en/filter.filters.sanitize.php

On Thu, 6 Jul 2023 at 13:55, rds_met <dcglug@xxxxxxxxxxxxxxx> wrote:
Hello Simon, all

Thanks for your message.
After many hours of studying, I have written this PHP code.
Significantly of my own doing on the basis of web-searching.

As you will see;
I've written in code which checks what's submitted from the "forms".
Also put size limits to prevent "denial of service" attacks filling up
my webhosting quota.

vvvvvvvv mail_handler.php vvvvvvvv

<?php
if(isset($_POST['submit'])){
    $to = "ME@xxxxxxxxxxx"; // this is your Email address
    // handle supplied email...
    $sf_from = filter_var(trim($_POST['email']), FILTER_SANITIZE_EMAIL);
    if(strlen($sf_from) > 64){
       echo "Use a briefer email addr";
       exit(0);
    }
    if (!filter_var($sf_from, FILTER_VALIDATE_EMAIL)) {
       echo("$sf_from is not a valid email address.  You might be able to Browser-back, correct and re-submit");
       exit(0);
    }
    // handle supplied name...
    $sf_name = filter_var(trim($_POST['submitter_name']), FILTER_SANITIZE_STRING);
    if(strlen($sf_name) > 64){
       echo "Use a briefer name";
       exit(0);
    }
    // handle the submitted message...
    $sf_message = filter_var(trim($_POST['message']), FILTER_SANITIZE_STRING);
    if(strlen($sf_message) > 2000){
       exit("Submit a briefer message");
    }
    // DEBUG // echo $to . " " . $sf_from . " " . $sf_name . " " . $sf_message;
    // this is assembling what's passed to mail()...
    $subject = "Form submission";
    $message = $sf_name . " at " . $sf_from . "\n\n" . " wrote the following:" . "\n\n" . $sf_message;
    $headers = "From:" . $sf_from;
    mail($to,$subject,$message,$headers);
    // echo "Mail Sent. Thank you " . $sf_name . ", I will contact you shortly.";
    header('Location: thanks_fsub.html');
    // You cannot use header and echo together. It's one or the other.
    }
?>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I have done the best I can (not any professional's grade) to crash it.
So far so good.
As nothing is going into a database (SQL, "injection" and all that),
this is not a particularly "hazardous" application of "forms" and PHP?

Insignificant/no changes elsewhere.

To be seen at
http://weldsmith.co.uk/contactform/contact.html

How am I doing now?

Regards,
Rich Smith




> On 5 Jul 2023, at 21:28, Simon Avery <digdilem@xxxxxxxxx> wrote:
>
> Hi Rich,
>
> PHP web to email forms have a long and murky history - not helped by one of the most popular early ones being very easy to manipulate - and it was! I've no doubt it's still out there in many places and acting as an open relay for thousands of badly intentioned people. I certainly see bots searching for it on my web servers.
>
> The technical side of writing a web form is really very easy, php has email built-in after all, or you can use a local or remote smtp server to send it.
>
> Follow a few basic rules, and ensure you read up on php and web security first (there's lots of good guides out there so I won't repeat them badly here)
>
> DO: Sanitise input.
> DO: Hardcode the "To" address, always, to stop it being used as an open gateway.
>
> It will be abused, of course, and almost instantly. Bots are crawling html constantly for any form elements and will try to send spam through them. Why not, it costs them nothing?
>
> But generally - as with all things security - you can never be totally secure. If you have doubts, don't do it, or use one of the many freely available webforms,  even if they're commercially operated.
>
> (The first example on your link is horrible - even if just because it doesn't hardcode the from. The first replier has fixed that.)
>
> On Sun, 2 Jul 2023 at 00:27, rds_met <dcglug@xxxxxxxxxxxxxxx> wrote:
> Hello all
>
> I found suggested code here:
> https://stackoverflow.com/questions/18379238/send-email-with-php-from-html-form-on-submit-with-the-same-script
>
> I copied the coupled html-forms code and PHP code into the two
> respective files.
> With due edits for my individual details.
>
> It seems to work perfectly.
>
> Anyone comment how
> * secure
> * etc.
> this is?
>
> Best wishes,
> Rich Smith
>
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/
> --
> The Mailing List for the Devon & Cornwall LUG
> FAQ: https://www.dcglug.org.uk/faq/

--
The Mailing List for the Devon & Cornwall LUG
FAQ: https://www.dcglug.org.uk/faq/
--
The Mailing List for the Devon & Cornwall LUG
FAQ: https://www.dcglug.org.uk/faq/