Security on a php form

Nightwing · February 9, 2021, 4:53pm

Hi from freezing cold -2° York UK,

http://www.website-project-manager.co.uk/test-form.html is a web form using php. I’m a noob with php forms but i understand they can be hacked easily, what can i do to prevent
attacks?

Thanks for your message!

<?php
	
	$userName 		= $_POST['myName'];
	$userEmail	 	= $_POST['myEmail'];
	$userMessage 		= $_POST['myMessage'];

	$to 			= "me@example.com";
	$subject 		= "Email from my website";
	$body 			= "Information Submitted:";

        $headers 		= 'From: Enquiry Project Manager <website-project-manager.co.uk/>' . "\r\n" .
    				'Reply-To: me@example.com' . "\r\n" .
    				'X-Mailer: PHP/' . phpversion();

	$body .= "\r\n Name: " . $userName;
	$body .= "\r\n Email: " . $userEmail;
	$body .= "\r\n Message: " . $userMessage;

	mail($to, $subject, $body, $headers);
?>

Thanks in advance,
David

TechnoBear · February 9, 2021, 4:55pm

Off Topic:

I’ve edited your post.

Please be careful posting code, and don’t include actual email addresses unless you are happy to be inundated with Spam.

igor_g · February 9, 2021, 5:48pm

$body = htmlspecialchars($body);

mail($to, $subject, $body, $headers);

droopsnoot · February 9, 2021, 6:03pm

Not really answering the question, but I believe you would be wise to use something like PHPMailer rather than the built-in mail() function, for reliability among other reasons.

Nightwing · February 9, 2021, 6:52pm

Hi thanks for the reply, what’s PHP mailer?

SamA74 · February 9, 2021, 6:52pm

It depends on what you are going to do with the user input. If it is only going to go into an HTML email, escaping it as Igor suggests should make it safe.
I did give a cursory glance to the form-mail tutorial you posted in your other topic.

…And thought it’s not the best example. It does sanitise and escape the input, which is wise, but there is little in the way of validation or spam protection. So you should expect a lot of nuisance from spammers.
IMO, if you have a form without spam protection, why bother with a form, just publish your email address and get spammed directly.
The method for detecting a submission isn’t great:-

if($_POST) {...

The preferred method is:-

if($_SERVER['REQUEST_METHOD'] == 'POST'){...

Also it uses the mail() function, which isn’t great. Something like PHPMailer is better as droopsnoot mentions.

droopsnoot · February 9, 2021, 7:08pm

It’s a library that has additional functionality and, I understand, reliability. I haven’t done emailing from PHP myself, but it’s normally an early suggestion here.

GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP

Nightwing · February 9, 2021, 7:26pm

Just to say it took me all day to get the php form working, i’ve had a look at PHP mailer and it sounds there’s a few things i have to set up that are totally alien to me.

I’ll give it a crack tomorrow but may be posting more “how do i do this” “how do i do that” type questions!

SamA74 · February 9, 2021, 7:46pm

If you are not confident in PHP, it may be daunting or difficult to set up a good, safe form-mail, that keeps spammers out.
But there are ready made solutions you can use instead of doing it all yourself.
This is one that I used to use, it’s a while since I used it, but the anti-spam was always quite robust.
I now use home-brewed form-mail scripts. I mainly switched from that because I wanted something more tailored to my needs, but started with that before I was confident to do it myself.
It’s just another option, you may want to learn to do it yourself.

Nightwing · February 10, 2021, 6:16am

Just to say it took me all day to get the php form working, i’ve had a look at PHP mailer and it sounds there’s a few things i have to set up that are totally alien to me.

I’ll give it a crack tomorrow but may be posting more “how do i do this” “how do i do that” type questions!

Nightwing · February 10, 2021, 8:57am

Going to give this a go this morning, wish me luck!

droopsnoot · February 10, 2021, 9:35am

As well as the download page I linked to having a short example of how to use PHPMailer, there are plenty of threads on here that have discussions on the subject, so it’s always worth having a look through those to see if they help.

Nightwing · February 10, 2021, 3:58pm

Thank you so much @SamA74 https://www.tectite.com/ really was a perfect solution for when you need a PHP contact form and you have limited coding skills

kerry14 · February 10, 2021, 4:03pm

There are actually 2 issues here - one is security and the other is spam.

The security issue is mainly that accepting ‘raw’ input to a $var means that the person completing the form could actually ‘inject’ code. This means they could enter sql or php code that nests itself in your code and then changes what happens. This is more of a risk if you are actually saving the contents of the form to a database. As another example the comments could be a js script that deletes a file or folder - or many other malicious operations. This .script would run when you opened the reply in a browser

The spam issue arrives from the fact that spammers actively search for forms and fill them in automatically, then submit them for various reasons.

the -

htmlspecialchars()

php function @igor_g suggests is a good way to make sure it cannot execute as code and you should research this as it is good advice.

Regarding spam this is more a case of putting yourself in the mindset of a spammer and identifying characteristics of a spam reply and then rejecting them or accepting them but flagging as spam.

It all depends on what you mean by security - it is quite an endeavour to create a form that is safe, secure, user friendly and relatively spam proof.

SamA74 · February 10, 2021, 6:29pm

As I said, it depends on what you are doing with the input. If it only goes directly to email, there is no chance of SQL injection, with no SQL involved.

JS injection seems the most plausible attack here, but the escaping should take care of that.

I set up my scripts to record and report any attempt that gets identified as spam, reporting which wires were tripped. It’s a good way to monitor and learn from the behaviour of spammers, and learn which captcha methods are most effective against them.
Easily the most common one to flag is a form timer. Since most spam appears to come from bots, they fill in the form suspiciously quickly. Another good thing about this is that it’s “invisible” captcha as far as the user is concerned, you are not making honest people jump through hoops to get their message through yet it has proven very effective at catching spam-bots.

kerry14 · February 11, 2021, 8:50am

@SamA74 - I think we are basically both agreeing, but maybe phrasing it differently My first comments were mainly to agree with you and enforce what you said. I certainly agree with all you said in last post. One other “invisible” captcha that the user does not even see is hidden fields. Including hidden fields in your form, I find, is a great way of detecting spam.

Include hidden fields and check for entries, an entry in a hidden field HAS to be a robot. Just for added security and to make the spammers job even harder dont hide them with html but use css, much harder for a spammer to detect and bypass.