Security Considerations for Contact Form

I’m considering making a new processing script for a contact form on a site.
For a while I’ve been using FormMail from Tectite which has been good and seems quite robust on security and spam detection (has not let me down yet).
But for a while, the system has been failing to deliver the mail. I don’t think this is a problem with the script or setup, as it has not altered since before it stopped working. I believe it is to do with the host’s Email server, but have been unable to detect the exact issue.
That aside, I have been thinking of creating my own processing script in php so it works the way I want it to. I want it to both sent the Email to the addresses (as defined by a dropdown “Department” field) and store the data in a MySQL database.
I want to ask, what should be my security concerns in doing this, and how best to deal with them?
For sql security, I was thinking of making a new user account for the DB which has only “Insert” privileges, to limit what it can do to the DB to the bare minimum.
Is that a good start? Or are there still potentially bad things that could be done through inserting malicious data? Of course I will use preg-replace to attempt to sanitize the data first, I also have an effective captcha in place already.

Here are a couple of Sitepoint articles, which might get you going in the right directions.


Thanks. I’ll take a look at those.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.