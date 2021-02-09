Security on a php form

PHP
#1

Hi from freezing cold -2° York UK,

http://www.website-project-manager.co.uk/test-form.html is a web form using php. I’m a noob with php forms but i understand they can be hacked easily, what can i do to prevent
attacks?

Thanks for your message!

<?php
	
	$userName 		= $_POST['myName'];
	$userEmail	 	= $_POST['myEmail'];
	$userMessage 		= $_POST['myMessage'];

	$to 			= "me@example.com";
	$subject 		= "Email from my website";
	$body 			= "Information Submitted:";

        $headers 		= 'From: Enquiry Project Manager <website-project-manager.co.uk/>' . "\r\n" .
    				'Reply-To: me@example.com' . "\r\n" .
    				'X-Mailer: PHP/' . phpversion();

	$body .= "\r\n Name: " . $userName;
	$body .= "\r\n Email: " . $userEmail;
	$body .= "\r\n Message: " . $userMessage;

	mail($to, $subject, $body, $headers);
?>

Thanks in advance,
David

#2

#3 
$body = htmlspecialchars($body);

mail($to, $subject, $body, $headers);
#4

Not really answering the question, but I believe you would be wise to use something like PHPMailer rather than the built-in mail() function, for reliability among other reasons.

#5

Hi thanks for the reply, what’s PHP mailer?

#6

It depends on what you are going to do with the user input. If it is only going to go into an HTML email, escaping it as Igor suggests should make it safe.
I did give a cursory glance to the form-mail tutorial you posted in your other topic.

…And thought it’s not the best example. It does sanitise and escape the input, which is wise, but there is little in the way of validation or spam protection. So you should expect a lot of nuisance from spammers.
IMO, if you have a form without spam protection, why bother with a form, just publish your email address and get spammed directly.
The method for detecting a submission isn’t great:-

if($_POST) {...

The preferred method is:-

if($_SERVER['REQUEST_METHOD'] == 'POST'){...

Also it uses the mail() function, which isn’t great. Something like PHPMailer is better as droopsnoot mentions.

#7

It’s a library that has additional functionality and, I understand, reliability. I haven’t done emailing from PHP myself, but it’s normally an early suggestion here.

GitHub - PHPMailer/PHPMailer: The classic email sending library for PHP

#8

Just to say it took me all day to get the php form working, i’ve had a look at PHP mailer and it sounds there’s a few things i have to set up that are totally alien to me.

I’ll give it a crack tomorrow but may be posting more “how do i do this” “how do i do that” type questions!