Menu
Community /Pin to ProfileBookmark
@NogDogJul 03.2015 — #While item #2 is a nice UI feature, you still need to validate that the fields are filled in on the PHP side, since JavaScript validation is easily bypassed by malicious users -- or simply someone who feels inclined to browse with JavaScript disabled.
Also, be careful with email validation regexes -- I've seen way to many of them out there that will reject addresses which are, in fact, valid formats. (I tend to assume that the user knows his/her email address -- besides which they can enter a non-existent or incorrect email address that matches the pattern, so not a whole lot is gained by overly-aggressive pattern-checking.)
Lastly, you might want to add some CSRF protection, typically by generating a random token stored in $_SESSION and put in a type=hidden field, which must match the session value before the form will be processed. @NogDogJul 03.2015 — #I may have misinterpreted what you meant about the email validation.
One of the simplest ways to protect against email header injection is to simply not allow (or strip out) carriage return and newline characters. If you also want to validate the format, I might instead just use PHP's filter_var() function with the FILTER_VALIDATE_EMAIL filter, and let it take care of verifying both format and safety (since newlines and such would not be valid in an email address). @NogDogJul 03.2015 — #I think the "honeypot" idea is that it looks like a field to be entered to a bot script, but since it's hidden via CSS, a normal "human" user would never fill it in. I suppose its effectiveness will depend on how smart the bot is, and you have to weigh it against the possibility that some legitimate users might still see the field (maybe a text-to-speach system for the vision-impaired?).
Securing PHP form: Is this enough?
I have created a php contact form. Tried to keep it lightweight. I have a separate html contact page and then a separate php form that runs the script. So here it is:-
1) I have 4 required fields (name, email, phone, message) & 1 hidden honeypot field for spam prevention
2) All the 4 required fields have on-page jQuery validation for the user. The form won’t submit if the fields are not filled in.
3) I have if (empty code in the php to ensure that the email will not be sent if the honeypot field is filled.
3) I have a !preg match function in the php script to prevent email injection via the email field.
What else do I really need to add to be secure or is this enough for a simple form? I know some people go to all sorts of lengths to try to prevent abuse and some of the scripts I’ve seen are huge. I’m trying to keep things lightweight and simple as possible. Any advice?
Sign in
to post a comment9 Comments(s) ↴
0
@NogDogJul 03.2015 — #Also, be careful with email validation regexes -- I've seen way to many of them out there that will reject addresses which are, in fact, valid formats. (I tend to assume that the user knows his/her email address -- besides which they can enter a non-existent or incorrect email address that matches the pattern, so not a whole lot is gained by overly-aggressive pattern-checking.)
Lastly, you might want to add some CSRF protection, typically by generating a random token stored in $_SESSION and put in a type=hidden field, which must match the session value before the form will be processed.
0
@NogDogJul 03.2015 — #One of the simplest ways to protect against email header injection is to simply not allow (or strip out) carriage return and newline characters. If you also want to validate the format, I might instead just use PHP's filter_var() function with the FILTER_VALIDATE_EMAIL filter, and let it take care of verifying both format and safety (since newlines and such would not be valid in an email address).
0
@NogDogJul 03.2015 — #