We've had a lot of issues with people hijacking our contact scripts over the last month or so at various sites. Its not clear to me that captchas are sufficient to keep the slime from doing what they do.<br /><br />On that note, I have 2 questions:<br /><br />1) Can you guys recommend a contact script that in your experience is free of these problems, at least so far?<br /><br />2) If I took these feedback/contact forms (which currently use php mail) and rather than making them email my clients the info the customer entered, instead had the script store the data on a mysql database and then gave my customers an app to retrieve them, would that avoid this problem, or is ANY php script with a text field subject to these issues? Im to the point where Im leery of the customer even getting any of the stored data sent to them via email because of what might be injected into the data via the form.<br /><br />Mark<!--content-->
you'll find an example of how to secure your contact scripts at the bottom of this page about <a href="http://securephp.damonkohler.com/index.php/Email_Injection" target="_blank">email injection</a>. i do a string length check and "@" check for the contact form fields in my script.<!--content-->
<!--quoteo(post=156121:date=Nov 19 2005, 06:41 PM:name=mriffey)--><div class='quotetop'>QUOTE(mriffey @ Nov 19 2005, 06:41 PM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=156121"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->2) If I took these feedback/contact forms (which currently use php mail) and rather than making them email my clients the info the customer entered, instead had the script store the data on a mysql database and then gave my customers an app to retrieve them, would that avoid this problem, or is ANY php script with a text field subject to these issues? Im to the point where Im leery of the customer even getting any of the stored data sent to them via email because of what might be injected into the data via the form.<!--QuoteEnd--></div><!--QuoteEEnd--><br />The rule you need to remember is that you should never automatically trust data submitted by a user.<br /><br />If you changed your script to store the submitted info in a database instead of e-mailing it back to the user, what you'd be doing is trading one risk for another. Instead of your script needing protection from e-mail header injection, the script would need protection from SQL query injection.<!--content-->
you'll find an example of how to secure your contact scripts at the bottom of this page about <a href="http://securephp.damonkohler.com/index.php/Email_Injection" target="_blank">email injection</a>. i do a string length check and "@" check for the contact form fields in my script.<!--content-->
<!--quoteo(post=156121:date=Nov 19 2005, 06:41 PM:name=mriffey)--><div class='quotetop'>QUOTE(mriffey @ Nov 19 2005, 06:41 PM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=156121"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->2) If I took these feedback/contact forms (which currently use php mail) and rather than making them email my clients the info the customer entered, instead had the script store the data on a mysql database and then gave my customers an app to retrieve them, would that avoid this problem, or is ANY php script with a text field subject to these issues? Im to the point where Im leery of the customer even getting any of the stored data sent to them via email because of what might be injected into the data via the form.<!--QuoteEnd--></div><!--QuoteEEnd--><br />The rule you need to remember is that you should never automatically trust data submitted by a user.<br /><br />If you changed your script to store the submitted info in a database instead of e-mailing it back to the user, what you'd be doing is trading one risk for another. Instead of your script needing protection from e-mail header injection, the script would need protection from SQL query injection.<!--content-->