tags:

views:

65

answers:

3

Has anyone come across a bulletproof function/class (homemade or native) for securing contact forms?

+1  A: 

See:

Secure Your Forms With Form Keys

Even better, employ:

HTML Purifier

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!

Sarfraz
+1  A: 

I reccomend using the OWASP Enterprise Security API it is a collection of accessors that filter user input based on the type of data it should be. Another complimentary secuirty layer is an Web Application Firewall (WAF) such as PHP-IDS or mod_security. A WAF will prevent many different types of attacks from reaching your application. This is probably what you are looking for, because it is a "drop in" solution requiring no modification to your application.

An input validation library will help, but you should keep in mind there is no silver bullet, you can't call one routine or install some software an expect all vulnerabilities will disappear. Input validation vulnerabilities are highly dependent how the data is used. For instance LFI, XSS, CRLF and SQL Injection all have different control characters and thus have their own requirements for Filtering/Escaping/Encoding. If you want to build a truly solid PHP applicaiton then you have to read the PHPSec LIbrary.

The best way to prevent sql injection is using paramaterized quries with a library like PHP's PDO. This way you KNOW that the query is immune to SQL Injection regardless of where the data came from.

Further more there are some vulnerabilities that have nothing to do with input validation. CSRF and crypto violations are both excellent examples. You should also read the OWASP Top 10.

Rook
A: 

I don't think this is a special case, just always use parametrized queries when interacting with a database.

Because setting up parametrized queries with PHP/mysqli can be a verbose pain I'd highly recommend Rob Poyntz Codesense_mysqi class. It's a neat little wrapper that hides most of the tedium.

Cruachan
sql injection isn't the only threat.
Rook
another threat is spamming to masses of bcc's cc's from your server
Haroldo