ansaurus

Question

PHP secure form

Answer 1

+2 A:

HTML Purifier

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist

OWASP

The Open Web Application Security Project (OWASP) is the name for all the activities of the OWASP Foundation.

Sarfraz 2010-07-13 18:13:33

You should elaborate on that.

Gumbo 2010-07-13 18:17:10

@Gumbo: I thought links were sufficient. Added anyways :)

Sarfraz 2010-07-13 18:21:24

@Gumbo The problem is the question is vague. HTML Purifier may not be appropriate, OWASP's recommendations may also have nothing to do with the question. And yet may. This answer is of course a shot in the dark.

Artefacto 2010-07-13 18:21:30

@Artefacto: Agreed question isn't that clear but is speaks about **security** so I posted some possible solutions about the **security**. I would have been more specific if the question was a bit clearer.

Sarfraz 2010-07-13 18:23:06

@sAc: No, just posting links is absolutely not sufficient. You should add some information on what can be found when following these links. Something like: “If you want to allow (some) HTML, use HTML Purifier. And for general recommendations on security in web applications, see OWASP.”

Gumbo 2010-07-13 18:28:02

@Gumbo: Hmm that's better I think, thanks for your suggestion, I was a bit too lazy now actually:(

Sarfraz 2010-07-13 18:36:35

Answer 2

A:

If by secure, you mean relatively protected from spammers, one good thing to do among many others is to have an email input field for the end user to put their reply-to that actually enforces valid MX entires.

     function isValidEmail($email){

       $pattern = '/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*
\@([a-z0-9])*(\.([a-z0-9])([-a-z0-9_-])([a-z0-9])+)*$/i';

    if(!preg_match ($pattern, $email)){return false;}



        list($user_name, $mail_domain) = explode("@",$email); // Split email address into username and domain name

        if (checkdnsrr($mail_domain, "MX")) return true;

        return false; // Invalid email address
        }

Certainly not a comprehensive solution, but it does help a great deal to cut out automated submissions.

DeaconDesperado 2010-07-13 18:15:55

no comment with downvote makes me sad :(

danp 2010-07-13 18:31:37

I too am curious lol...

DeaconDesperado 2010-07-13 18:33:59

Because that's not a very good way of checking for valid email addresses. A regex would be a better solution. PS: I am not the one who downvoted it, but I believe that would be the reason why they did it.

quantumSoup 2010-07-13 18:51:15

I could agree there - didn't actually catch that when I copied my older file - the ones I use now has filter_var($email, FILTER_VALIDATE_EMAIL)) followed by the domain check. The mx part was what I was trying to emphasize and I forgot to even check the first half in the older code.

DeaconDesperado 2010-07-13 18:59:10

Added regex on edit.

DeaconDesperado 2010-07-13 19:05:15

Answer 3

A:

You should:

Require your users to apply a captcha (or sign in), to make it harder for bots to use your mail form.
Sent mail to predefined adresses only (if possible).
Accept POST only (no GET), to prevent CSRF.
Disallow HTML in your Mails.

JochenJung 2010-07-13 18:21:27

Answer 4

+6 A:

Why hasn't anyone mentioned HTTPS?

Just make your form gets submitted using the HTTPS protocol, and all of the data is transparently encrypted (this means you don't need to do anything to decrypt it in PHP, it just works)

Jani Hartikainen 2010-07-13 18:28:39

how to make my form to be submitet using the https protocol. And how will those date be decrypted to the email u want to sent them?

AXheladini 2010-07-13 18:41:47

You need to have an SSL certificate installed on your server and activated with your registrar. You can then make all elements within the form page (including the form's own action attribute) use https:// to open a HTTPS connection. This will encrypt the communication between the client and the server. Emailing SSN numbers or very sensitive personal information from PHP is still a bad idea however.

DeaconDesperado 2010-07-13 18:50:31

It's not possible to send encrypted emails without requiring the recipient to decrypt them (by themselves or using a special client). Actually here's a related question: http://stackoverflow.com/questions/3146847/design-problem-secure-self-destructing-email . Regardless, you definitely **should not** email SSN or other sensitive information in plaintext.

quantumSoup 2010-07-13 18:54:32

Answer 5

A:

HTTPS protocol is the best solution. For Spamer protection you can use captcha. If you are passing variable from one server to another you can make it more protected using encryption.

Ghost 2010-07-13 18:47:46

ansaurus

tags:

views:

answers:

PHP secure form

related questions