What to insert into PHP form to help prevent hacking

Bobboz
Bobboz used Ask the Experts™
on
I am new to PHP.
I am using Apache for Windows and PHP 5.
I have set up a Contact form and I want to make it safer.
Below is the file.
I have read where it is easy to hack because of carriage return, etc.
What and where should I insert code to help prevent this.

We will use the PHP to send our form results through an email.
<?php
//--------------------------Set these paramaters--------------------------

// Subject of email sent to you.
$subject = 'Results from Contact form';

// Your email address. This is where the form information will be sent.
$emailadd = 'xxxx@xxxxx.com';

// Where to redirect after form is processed.
$url = 'http://www.zzz.com';

// Makes all fields required. If set to '1' no field can not be empty. If set to '0' any or all fields can be empty.
$req = '0';

// --------------------------Do not edit below this line--------------------------
$text = "Results from form:\n\n";
$space = ' ';
$line = '
';
foreach ($_POST as $key => $value)
{
if ($req == '1')
{
if ($value == '')
{echo "$key is empty";die;}
}
$j = strlen($key);
if ($j >= 20)
{echo "Name of form element $key cannot be longer than 20 characters";die;}
$j = 20 - $j;
for ($i = 1; $i <= $j; $i++)
{$space .= ' ';}
$value = str_replace('\n', "$line", $value);
$conc = "{$key}:$space{$value}$line";
$text .= $conc;
$space = ' ';
}
mail($emailadd, $subject, $text, 'From: '.$emailadd.'');
echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">';
?>

Thanks
Bob
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

use captcha to help protecting from spamming
In this form you:
Don't use HTML mail,
don't use user input for headers
don't use user input for the email address

By sending the mail in plain text the user cannot do anything harmfull in your form other than spamming.

Author

Commented:
Thanks for the quick answers.
Remember that I am very new to this stuff.
I do not understand your answer.
What I would like is to be shown how to change this to work safely.
Thanks
Bob

Author

Commented:
I found this code as a part solution, but I really do not know where to put it in the code.  And I do not know what it does.  
If this is acceptable - How do I code "direct user to an error page and quit"?

if ( preg_match( "/[\r\n]/", $name ) || preg_match( "/[\r\n]/", $email ) ) {

      [... direct user to an error page and quit ...]

}

Bob
this will check for the syntax of the email,
check captcha, its what you want
Dear Bob,

The code you currently have does not give any security issues.

the code you posted in your last comment is only usefull when you use the input from the user (eg. something that is entered in a textbox in your form) as To address or in the headers. This is not the case in your code so you do not need that.

A captcha is not required for security but it will prevent users from sending the form with a bot (an automated client that fills forms with commercials/malicious links).

But remember, the captcha is optional. if you not recieve any or only limited spam from your form it is not required.

an easy implementation of a captcha is securimage.
you can download it at:
http://www.phpcaptcha.org/download/

and you can find an implementation guide here:
http://www.phpcaptcha.org/documentation/quickstart/


on a diffrent note i would advise you to use "header('Location: http://www.example.com')" for the redirect.

see the modified code below

<?php
//--------------------------Set these paramaters--------------------------

// Subject of email sent to you.
$subject = 'Results from Contact form';

// Your email address. This is where the form information will be sent.
$emailadd = 'xxxx@xxxxx.com';

// Where to redirect after form is processed.
$url = 'http://www.zzz.com';

// Makes all fields required. If set to '1' no field can not be empty. If set to '0' any or all fields can be empty.
$req = '0';

// --------------------------Do not edit below this line--------------------------
$text = "Results from form:\n\n";
$space = ' ';
$line = '
';
foreach ($_POST as $key => $value)
{
 if ($req == '1')
 {
  if ($value == '')
  {
   echo "$key is empty";
   exit();
  }
 }
 $j = strlen($key);
 if ($j >= 20)
 {
  echo "Name of form element $key cannot be longer than 20 characters";
  exit();
 }
 $j = 20 - $j;
 for ($i = 1; $i <= $j; $i++)
 {
  $space .= ' ';
 }
 $value = str_replace('\n', "$line", $value);
 $conc = "{$key}:$space{$value}$line";
 $text .= $conc;
 $space = ' ';
}
mail($emailadd, $subject, $text, 'From: '.$emailadd.'');


header("Location: ".$url);
?>

Open in new window

Author

Commented:
Everyone has been great.
I did install captcha before the last comment.
It seems to be working - but......
I discovered that all I have to do is hit "enter" and the form gets sent.
I can fill in the wrong  captcha words - hit "enter"  not "submit" - and the form is on its way.
Is this normal?
Bob

Author

Commented:
Sorry - Now the enter button does not send out the form.
I did watch it happen 2 times in a row though.
I swear  (yea-right!)
Bob

Author

Commented:
Investing in EE is a great investment.
You people are fast.
You people are accurate.
--And--you do not talk "down" to newbys.
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial