Feed back form security

I’m working on a “contact us” form for my site and right now I don’t plan on hooking it up to a database. I"m just going to have any user input send a direct email to me.

So my question is regarding form security is, is it still necessary to add a mysql_real_escape_string to the user input form variables? I’m certainly going to add trim and strip_tags functions. I’m going to make sure any required fields are validated and i’m also going to add in some code to validate the email address.

As of PHP 5.2 Data Filtering is available, it provides also email validation.

Thanks guys for the input and for clearing up some confusion! :slight_smile: I’m going to add in an email validation code and look into the header issue too.

I just have a quick second here, but jcorbin, I would run the $email variable through an email validation class (there are many pieces of code online that can validate emails).

If you validate the email, then you should be good there, as the $email variable is the only main possible issue with the code you posted.

Edit: Here is some code you might be able to use…

	$emailPattern = '/^[^@\\s]+@([-a-z0-9]+\\.)+[a-z]{2,}$/i';
	if (!preg_match($emailPattern, $email)){
		print 'Please review the email address you entered. There seems to be a problem';

mysql_real_escape_string is used for escaping variables when you include them in SQL queries directly instead of doing it the more modern way using either mysqli or PDO to keep the variables and the query separate.

If you are not generating old style sql queries then you don’t need mysql_real_escape_string

Hmm, depends on exactly how you have it set up, which email library you are using, etc.

Potentially, yes, you could be the target of an email header injection attack (search for it for more info).

If you are using data the user submits for either the headers and/or the “from”, “to”, etc. fields (which go in the headers, btw), than you want to watch out for that possibility.

Ok, thanks Nathan for the input. I’ve read a little about what you’re saying, that spammers can change the header info to use your form as a spam relay.

The problem I’m having is, I’m finding a lot of scattered information and I’m not positive on what exactly applies to what I’m doing verses something that applies more to script that connects to a database.

I’ve included a sample of the code I’m working on. This is a very rough beta version since I’m still in the beginning learning phase and I just haven’t had time yet to add in stuff like validation.

// Email process form v: 1.0b
// Set variables and add user input security
$name = strip_tags(trim($_POST['name']));
$email = strip_tags(trim($_POST['email']));
$feedback = strip_tags(trim($_POST['feedback']));

// Set up information
$toaddress = "email@example.com";

$subject = "Contact Us";

$mailcontent = "Customer name: ".$name."\
               "Customer email: ".$email."\
               "Customer feedback:\

$fromaddress = 'From: [email]email@example.com[/email]' . "\\r\
. "Reply-to: $email";

// Invoke mail() function
mail($toaddress, $subject, $mailcontent, $fromaddress, $additional_headers);
<title>Bob's Auto Parts - Feedback submitted</title>
<h1>Feedback submitted</h1>
<p>Thanks <?php echo "$name";?> your feed back has been submitted.</p>

Ok, thanks for the info. Everything I read about security mentions about about a half a dozen functions or so that you should add in. Most of them though are focused on database protection.

In regards to a straight form to email script. Is there anything else that I should protect against?

real escape string requires a database connection be established.

validating is step 1. sanitizing is another thing.