2

I am working on some forms and want to get advice on how to properly make a form secure against hackers, spam, etc. Also I want to know how to correctly send this form data in an e-mail (an attachment will also be sent so I am using enctype as multiform/form-data).

For simplicity, let's say I have only 1 field in the form.

    <form method="post" enctype="multipart/form-data">
        Address: <input type="text" name="user-address" value="<?php echo $_POST['user-address']; ?>" />
        <input type="submit" value="Submit" />
    </form>

Now, what are the steps I need to do in order to make sure the user input is safe? For example, I know I can do trim() and also check if the 'user-address' (in $_POST) is empty or not. But what else should I do? I've been seeing stuff about htmlentities() and htmlspecialchars() and that has me confused. Should I be using those? What about stripslashes()?

After making sure the input is safe, I want to send an e-mail (using PHPMailer) of what the user inputted in the body. What I have been noticing is that if a user enters a single or double quote, something like &#34 ; shows up in the e-mail body instead of the actual character. Is this because the email is sent as PLAIN TEXT? I want it to be sent as plain text though because that's all it needs to be with the form fields I have. So I used html_entity_decode(..., ENT_QUOTES) on $_POST['user-address'] and that made it work. I am not sure if that is the correct approach or if that poses a security risk of some sort, however. 

    $msg = "Address: " . html_entity_decode($_POST['user-address'], ENT_QUOTES);
    //send e-mail with attachment and $msg as body

MAIN POINTS: How can I make sure the simple form above is secure? and What do I do about single and double quote HTML entities being shown in the e-mail (assuming I want to send plain text e-mails)?

Thanks for the help!

user3178640
  • 21
  • 3
  • possible duplicate of [Security considerations when creating an email form on the web](http://stackoverflow.com/questions/1027138/security-considerations-when-creating-an-email-form-on-the-web) –  Jan 13 '14 at 23:39

2 Answers2

0

There are several thing to look out for, when trying to make user input safe. First of all, the htmlentities() strategy is leading you in the right direction. I had trouble with inputs myself and htmlentities() got the job done. If you want to keep the quotes unescaped, don't use the additional ENT_QUOTES parameter. Also, if you are going to use the input text anywhere in a database apply the mysql_real_escape_string() function.

de_dux
  • 11
  • 1
  • 5
  • mysql_real_escape_string() - dont use depreciated mysql, do validate the email address –  Jan 13 '14 at 23:50
0

First of all you should check if the email is valid in it's self. There are many ways to do this with regex, or if you use a new version of php you could use this the filter function. Here you can go further and make sure that the domain exists and responds to a ping/http call.

Hacking email forms requires the hacker to be able to overwrite the header of the email, so trim everything, but also remove all "\n" and "\t" since thees can still be used to hack the header even if the text is trimmed. If you would have a subject input, then it could be used to rewrite the header of the email. EX:

my email \n\t\n\tto:someone@somewhere.example\n\tbcc:spamlist\n\t\n\t subject

And the body can also be overwritten like that (not sure if that actually works, but I'm sure the principle is right).

Using htmlentities() is a good thing if you are sending a html email(content type set to email), otherwise you do not need it as long as you set the content-type of the email to plain text. If you want to make sure that no html is evaluated on the other side, just brake the tags with a replace() from ">" to "&gt;" or simply remove them.

Another good practice is add captcha to your form, remember a robot can have multiple ip addresses, and it will send emails effortlessly.

Hope this helps.

lcornea
  • 141
  • 1
  • 3