Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Sep 2012
    Posts
    26
    Thanks
    17
    Thanked 0 Times in 0 Posts

    Question PHP form sanitization help

    Hi,

    I am completely new to PHP.. and have been trying to build a webform for a website.

    I have set the form using HTML/CSS right and have added a JS script to validate it on the client side (it basically throws an error if the input isnt correct) on the website.

    But the issue is my PHP back-end form processor aint working right .. I think am getting XSS attacks .. and would like some help to edit my current PHP form.

    Can someone help me with it? The pHp code is below:
    Code:
    <?php
    $title = $_POST['title'];
    $name = $_POST['name'];
    $email = $_POST['email'];
    $phone = $_POST['phone'];
    $designation = $_POST ['jobt'];
    $company = $_POST['cname'];
    $event = $_POST['event'];
    $purpose = $_POST['purpose'];
    $message = $_POST['message'];
    $TandC = $_POST['TandC'];
    $formcontent=" From: \n Name: $title $name \n Email: $email \n Phone: $phone \n Designation: $designation \n Company: $company \n event: $event  \n Interested in being a: $purpose \n Message: $message";
    $recipient = "brochure@xyz.com";
    $subject = "Brochure Request";
    $mailheader = "From: $email \r\n";
    mail($recipient, $subject, $formcontent, $mailheader) or die("Error!");
    if (isset($_POST['email'])) {
    header("Location:thanks.html");
    }
    ?>

  • #2
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    I'm not surprised.. you've made no attempt to santize your data to protect against email injection. You could read the linked page and perhaps a little bit of googling/research.

    BTW Using die() is very common, but a poor practice. mail() returns false if there is an error:

    Code:
    if (mail($recipient, $subject, $formcontent, $mailheader) === false) {
        // echo an error message
    }
    bearing in mind that a return value of true does not mean that the email has been successfully sent or received (there is no way to check this programmatically).

    I include a simple question on the email form and check the answer - this is a straight-forward way to reduce the number of attacks.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • Users who have thanked AndrewGSW for this post:

    codernoob (01-05-2013)

  • #3
    New Coder
    Join Date
    Sep 2012
    Posts
    26
    Thanks
    17
    Thanked 0 Times in 0 Posts
    I have made some changes to the code, can someone check and let me know if the changes i have made are good enough - atleast to a good extend - to stop xss attacks?

    Code:
    <?php
    $title = $_POST['title'];
    $name = $_POST['name'];
    $email = $_POST['email'];
    $phone = $_POST['phone'];
    $message = $_POST['message'];
    $dodgy_strings = array(
                    "content-type:"
                    ,"mime-version:"
                    ,"multipart/mixed"
                    ,"bcc:"
    );
    
    function is_valid_email($email) {
      return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
    }
    
    function contains_bad_str($str_to_test) {
      $bad_strings = array(
                    "content-type:"
                    ,"mime-version:"
                    ,"multipart/mixed"
    		,"Content-Transfer-Encoding:"
                    ,"bcc:"
    		,"cc:"
    		,"to:"
      );
      
      foreach($bad_strings as $bad_string) {
        if(eregi($bad_string, strtolower($str_to_test))) {
          echo "$bad_string found. Suspected injection attempt - mail not being sent.";
          exit;
        }
      }
    }
    
    function contains_newlines($str_to_test) {
       if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
         echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent.";
         exit;
       }
    } 
    
    if($_SERVER['REQUEST_METHOD'] != "POST"){
       echo("Unauthorized attempt to access page.");
       exit;
    }
    
    if (!is_valid_email($email)) {
      echo 'Invalid email submitted - mail not being sent.';
      exit;
    }
    
    contains_bad_str($email);
    contains_bad_str($name);
    contains_bad_str($phone);
    contains_bad_str($message);
    
    contains_newlines($email);
    contains_newlines($subject);
    
    $formcontent=" From: \n $title $name \n Email: $email \n Phone: $phone \n Message: $message";
    $mailheader = "From: $email \r\n";
    $recipient = "queries@xyz.com";
    $subject = "Contact Form";
    mail($recipient, $subject, $formcontent, $mailheader);
    if (isset($_POST['email'])) {
    header('Location:thanks.html');
    }
    ?>

  • #4
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    335
    Thanks
    2
    Thanked 49 Times in 48 Posts
    For such, use tried and tested methods. Use PHPMailer or PEAR MAILER. Way more secure and easier to use.

  • Users who have thanked Redcoder for this post:

    codernoob (01-07-2013)

  • #5
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    Looks good to me. Just requires you to test it.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • Users who have thanked AndrewGSW for this post:

    codernoob (01-07-2013)

  • #6
    New Coder
    Join Date
    Sep 2012
    Posts
    26
    Thanks
    17
    Thanked 0 Times in 0 Posts
    I checked and the form works, but it doesnt redirect to thanks.html page on submit..

    and suggestions why its happening?

  • #7
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    335
    Thanks
    2
    Thanked 49 Times in 48 Posts
    Does it give out any error?

    You should check also try echoing out $_POST['email'] just above the if(isset($)POST['email'] statement to check whether it has a value.

    Have this at the top of your script:
    PHP Code:
    <?php

    ob_start
    ();
    error_reporting(E_ALL);
    ini_set('display_errors''1');

    ?>
    and this at the very bottom:
    PHP Code:
    <?php

    ob_end_flush
    ();
    Then tell us what it displays.
    Last edited by Redcoder; 01-07-2013 at 04:51 PM.

  • Users who have thanked Redcoder for this post:

    codernoob (01-07-2013)

  • #8
    New Coder
    Join Date
    Sep 2012
    Posts
    26
    Thanks
    17
    Thanked 0 Times in 0 Posts
    Thank ya fellas,

    I fixed it with some slight changes
    Here is the code:

    Code:
    $formcontent=" From: \n $title $name \n Email: $email \n Phone: $phone \n Message: $message";
    $headers = 'From: '.$email."\r\n".
    'Reply-To: '.$email."\r\n" .
    'X-Mailer: PHP/' . phpversion();
    @mail($recipient, $subject, $formcontent, $headers);  
    {
    header('location:thanks.html');
    }
    ?>
    Cheers!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •