SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Guru adammc's Avatar
    Join Date
    Aug 2004
    Location
    Cairns, Australia
    Posts
    762
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question validation of email form - message field

    Hi,

    I am creating a send to friend script and want to allow users to type in a personal message (text box)

    How should I best validate this to ensure the form isnt abused?

  2. #2
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you don't want to allow HTML markup in the message then use htmlspecialchars() or htmlentities(). I would also set minimum and maximum message length, something like 10 <= message lenght <= 3000. Finally I would use HTMLPurifier to clean the message.

    If the form is public and users don't need to be logged in in order to use it I would certainly also use captcha or some other human/machine test.

  3. #3
    SitePoint Addict
    Join Date
    Dec 2004
    Posts
    240
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you mean validating not only the text in the text box, but also fields which are truly dangerous:
    1) From and Reply-to (as well as any other mail headers if any), which allow Mail injection if not validated properly
    2) Subject, which also could be abused for Mail injections
    , then you would certainly need validation. Or some spammers would send a lot of spam through your web-form.

    Apart from checking "To" address, "From/Reply-To" address (you would need to use preg_match() to check the format) and mail subject (remove all "\r" or "\n" characters from it with str_replace()), you would also need CAPTCHA to prevent spammers from sending multiple e-mails by calling your form for many times.

    All this is difficult to explain in 1 post. I would advise you to search Google for "Mail injections".

    Before continuing to work on the script, you must have absolutely clear understanding on what Mail injections are. They are very dangerous. Not only you but in case of virtual servers the whole network could be blacklisted for spam in case of the successful attack against your mail form.

    Also from my point of view, good CAPTCHA is absolutely "must have" at "send to friend" web forms.

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The main security issue in the text box would be CRSF or XSS.

  5. #5
    rajug.replace('Raju Gautam'); bronze trophy Raju Gautam's Avatar
    Join Date
    Oct 2006
    Location
    Kathmandu, Nepal
    Posts
    4,013
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    - Use of htmlspecialchars and htmlentities function to encode.
    - Use strip_tags() until you really need some html tags for xss.
    - Have some type of CAPTCHA like field for spam/bots.
    - And simply validate the email address entered and check they entered at least few words/lines in the box.
    Mistakes are proof that you are trying.....
    ------------------------------------------------------------------------
    PSD to HTML - SlicingArt.com | Personal Blog | ZCE - PHP 5

  6. #6
    SitePoint Enthusiast
    Join Date
    Aug 2009
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    BTW, I think rajug meant "unless" when he wrote "until" in his informative reply above.

    Use strip_tags(), unless you really need some html tags, for xss.

  7. #7
    SitePoint Guru risoknop's Avatar
    Join Date
    Feb 2008
    Location
    end($world)
    Posts
    834
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Isn't strip_tags() useless when have you already used htmlentities()?

  8. #8
    SitePoint Zealot Luke Morton's Avatar
    Join Date
    Jul 2005
    Location
    Essex, England.
    Posts
    125
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by risoknop View Post
    Isn't strip_tags() useless when have you already used htmlentities()?
    I would say so, unless you didn't want HTML tags included in the code at all, then you could use htmlentities to encode entities not removed by strip_tags but still required, such as &amp; etc.
    Luke Morton
    UK Web Explorer| lukemorton.co.uk

  9. #9
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't play around with trying to doctor messages in simple contact forms and personal messages like those. I leave a note above the message area letting the visitor know that anything that looks like HTML or bbcode will cause the message to be discarded and that's what I do.

    bbcode isn't much of a problem, but a lot of spam seems to be using it these days. I throw away anything with an [img/] or [url/] bbcode in it. I use stripos to look for them, that's as far as I go.

    I really don't want to post my HTML regular expression in public, but I'm confident it catches anything a browser would parse using even the most forgiving of quirks modes.

    For contact forms I take no chances with the fields that can direct where the message goes. I use switch statements and hardcode destination addresses and subjects into the code, each switch has a default defined.

    For my subject field I use a <select/> element with predefined subjects the switch looks for. I randomly mix in multiple "I want to spam you" options with the good ones. If the posted subject does not trigger the switch or it corresponds to those trap options I discard the message.

    I really don't want to post the code I use to validate email addresses publicly either. It leans more towards prevention than accommodation.

  10. #10
    SitePoint Member
    Join Date
    Sep 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    security issue in the text box

  11. #11
    SitePoint Member
    Join Date
    Aug 2009
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is that with PHP?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •