Security on a php form

Hi from freezing cold -2° York UK,

http://www.website-project-manager.co.uk/test-form.html is a web form using php. I’m a noob with php forms but i understand they can be hacked easily, what can i do to prevent
attacks?

Thanks for your message!

<?php
	
	$userName 		= $_POST['myName'];
	$userEmail	 	= $_POST['myEmail'];
	$userMessage 		= $_POST['myMessage'];

	$to 			= "me@example.com";
	$subject 		= "Email from my website";
	$body 			= "Information Submitted:";

        $headers 		= 'From: Enquiry Project Manager <website-project-manager.co.uk/>' . "\r\n" .
    				'Reply-To: me@example.com' . "\r\n" .
    				'X-Mailer: PHP/' . phpversion();

	$body .= "\r\n Name: " . $userName;
	$body .= "\r\n Email: " . $userEmail;
	$body .= "\r\n Message: " . $userMessage;

	mail($to, $subject, $body, $headers);
?>

Thanks in advance,
David

Off Topic:

I’ve edited your post.

Please be careful posting code, and don’t include actual email addresses unless you are happy to be inundated with Spam.

2 Likes
$body = htmlspecialchars($body);

mail($to, $subject, $body, $headers);
2 Likes

Not really answering the question, but I believe you would be wise to use something like PHPMailer rather than the built-in mail() function, for reliability among other reasons.

1 Like

Hi thanks for the reply, what’s PHP mailer?

It depends on what you are going to do with the user input. If it is only going to go into an HTML email, escaping it as Igor suggests should make it safe.
I did give a cursory glance to the form-mail tutorial you posted in your other topic.

…And thought it’s not the best example. It does sanitise and escape the input, which is wise, but there is little in the way of validation or spam protection. So you should expect a lot of nuisance from spammers.
IMO, if you have a form without spam protection, why bother with a form, just publish your email address and get spammed directly.
The method for detecting a submission isn’t great:-

if($_POST) {...

The preferred method is:-

if($_SERVER['REQUEST_METHOD'] == 'POST'){...

Also it uses the mail() function, which isn’t great. Something like PHPMailer is better as droopsnoot mentions.

It’s a library that has additional functionality and, I understand, reliability. I haven’t done emailing from PHP myself, but it’s normally an early suggestion here.

GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP

Just to say it took me all day to get the php form working, i’ve had a look at PHP mailer and it sounds there’s a few things i have to set up that are totally alien to me.

I’ll give it a crack tomorrow but may be posting more “how do i do this” “how do i do that” type questions!

If you are not confident in PHP, it may be daunting or difficult to set up a good, safe form-mail, that keeps spammers out.
But there are ready made solutions you can use instead of doing it all yourself.
This is one that I used to use, it’s a while since I used it, but the anti-spam was always quite robust.
I now use home-brewed form-mail scripts. I mainly switched from that because I wanted something more tailored to my needs, but started with that before I was confident to do it myself.
It’s just another option, you may want to learn to do it yourself.

1 Like

Just to say it took me all day to get the php form working, i’ve had a look at PHP mailer and it sounds there’s a few things i have to set up that are totally alien to me.

I’ll give it a crack tomorrow but may be posting more “how do i do this” “how do i do that” type questions!

Going to give this a go this morning, wish me luck!

As well as the download page I linked to having a short example of how to use PHPMailer, there are plenty of threads on here that have discussions on the subject, so it’s always worth having a look through those to see if they help.

2 Likes

Thank you so much @SamA74 https://www.tectite.com/ really was a perfect solution for when you need a PHP contact form and you have limited coding skills :slight_smile:

There are actually 2 issues here - one is security and the other is spam.

The security issue is mainly that accepting ‘raw’ input to a $var means that the person completing the form could actually ‘inject’ code. This means they could enter sql or php code that nests itself in your code and then changes what happens. This is more of a risk if you are actually saving the contents of the form to a database. As another example the comments could be a js script that deletes a file or folder - or many other malicious operations. This .script would run when you opened the reply in a browser

The spam issue arrives from the fact that spammers actively search for forms and fill them in automatically, then submit them for various reasons.

the -

htmlspecialchars()

php function @igor_g suggests is a good way to make sure it cannot execute as code and you should research this as it is good advice.

Regarding spam this is more a case of putting yourself in the mindset of a spammer and identifying characteristics of a spam reply and then rejecting them or accepting them but flagging as spam.

It all depends on what you mean by security - it is quite an endeavour to create a form that is safe, secure, user friendly and relatively spam proof.

As I said, it depends on what you are doing with the input. If it only goes directly to email, there is no chance of SQL injection, with no SQL involved.

JS injection seems the most plausible attack here, but the escaping should take care of that.

I set up my scripts to record and report any attempt that gets identified as spam, reporting which wires were tripped. It’s a good way to monitor and learn from the behaviour of spammers, and learn which captcha methods are most effective against them.
Easily the most common one to flag is a form timer. Since most spam appears to come from bots, they fill in the form suspiciously quickly. Another good thing about this is that it’s “invisible” captcha as far as the user is concerned, you are not making honest people jump through hoops to get their message through yet it has proven very effective at catching spam-bots.

@SamA74 - I think we are basically both agreeing, but maybe phrasing it differently :grinning: My first comments were mainly to agree with you and enforce what you said. I certainly agree with all you said in last post. One other “invisible” captcha that the user does not even see is hidden fields. Including hidden fields in your form, I find, is a great way of detecting spam.

Include hidden fields and check for entries, an entry in a hidden field HAS to be a robot. Just for added security and to make the spammers job even harder dont hide them with html but use css, much harder for a spammer to detect and bypass.

1 Like