I have been using a contact form called form2mail from http://www.hotdreamweaver.com/form-to-mail but now I started wondering if this form was the cause of my site being hacked since this is the only PHP file that I have in this site and I was reading about web security and server scripting seems to be a big target for hackers, besides this PHP file I also had a very poor cpanel password (a four letter password) so I don’t doubt that this could be the issue but now I started wondering as to what is considered a secure contact form. In fact I was recently learning PHP and I created a simple contact form and I was so happy about my results until my site was hacked and started reading about this new world.
1-How secure a contact form needs to be in order to be considered good to be used?
2-Is it risky to use a contact form created by a novice like me?
1-How secure a contact form needs to be in order to be considered good to be used?
If a malicious user cannot easily get information on the data sent and to whom while preventing most spam bots you are on the right track.
At the very, VERY least any data that is submitted MUST be validated server-side to prevent dangerous code from messing with your scripts and any error messages should be suppressed so as not to give away names of variables, directories or other hidden data that a server-side script file possesses.
2-Is it risky to use a contact form created by a novice like me?
If you feel you are not up to date with basic data validation and submission practices then obviously, “yes”. You are potentially dealing with people’s private information and not handling that properly and securely can lead to gawd knows how many headaches.
However, it does not take a PhD in computer science to achieve an adequate level of security.
3-How do I know if my form is secure?
The easiest way would be to post your version of the contact form here and let the experts alert you to any gaping security holes. Besides doing a simple Google search on the subject, take a peek at some SitePoint articles. I can’t remember the name of one of them, but it had a good viewpoint on whether to put the burden of bot prevention on the user or developer.
4-What kind of contact form are you guys using?
A custom-made PHP contact form with server-side validation, “honeypot” spam detection and a dash of very simple JS that does not hinder the form with it turned off.
It looks like the first step would be to validate your form with server side scripting. I would love to post the code I’m using but its over 3000 lines of code including comments and I don’t think someone would like to sit-down and look at the code, but at the same time I’m thinking that this was created by some who new what he was doing and I hope he thought about security especially since they sell the plugin.
if it’s just a standard contact form with prompts for a first and last name, email address, comments and maybe a few extra input fields, I wouldn’t have thought it should take more than 100 - 150 lines absolute tops.
Uhh, I have to agree as well that this is waaay too much unless you have a very complex form with novels of comments.
How about you just start out by explaining what you wish to accomplish with this form (ie. give us the fields you want the user to fill in)?
If we are talking about a name field, e-mail, even some checkboxes and/or radios 3000 lines is a touch much unless you are including your life story in the comments.
And, you mentioned a paid plugin? This wouldn’t be for WordPress, would it? If so, there are some very good FREE plugins for contact forms that can probably handle what I think you are looking for (unless I have missed something)…
And, you mentioned a paid plugin? This wouldn’t be for WordPress, would it?
No, this is a plug-in for Dreamweaver.
There are 3030 lines of code but probably half of the code are comments but still huge, if some of you would like to see it just out of curiosity let me know and I can post it or send it to you!
So to make this short a contact form doesn’t need to be super complex to be secure?
Can someone post a sample or direct me to where I can find more info?
Oh, I’m talking about a form that can send basic information like name, some check boxes and of course some comments. The form I currently have (the plug-in) I think it can actually send files other than just text.
I will try to create my own form and will post the code here to get help (if you guys don’t mind). I would like to create my own form, this way if my site gets hacked again I will know if any extra code has been added otherwise with this long form I cannot go and check each line to see if it was modified and also to gain some experience.
¿Qué