[Resolved] securing a form-to-email script

Billy_T

Hi all

My host recently said that they will delete all form2email scripts they find on their due to them being repeatedly abused by hackers.

I emailed them (because I REALLY need to use my script and not the one they provide) and they said it was my responsibility to keep them secure. One of the things they suggested was

A basic rule of thumb is your script should not accept a posting from outside the form page, and should only be configured to allow recipients that are hard-coded (no recipient variables).

The second will be tricky as I need the recipient to be able to changed. The first one, however, should be pretty straight forward and I'm hoping somebody can save me the grief of searching the web for hours and can tell me how to do this. The form is in a flash site and I want to make sure that the php script only receives variables from that form - nowhere else

Thanks in advance

Phodetheus

PYou can check where the vars have come from by checking $_SERVER['HTTP_REFERER']

Phodetheus

Billy_T

hmm that looks interesting - thanks!

the php manual says

Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted

have you ever had problems with it?

so do think, for example, if I was to say "if the referer contains main.php (where the form exists) then send the email" that would make my script fairly secure?

Thanks

Phodetheus

Reasonably so yes.

Phodetheus

Billy_T

cool

Thanks again

Billy_T

hmm it appears that when a php script is loaded into a flash movie, the HTTP_REFERER var is empty 🙁

if anyone has any ideas please let me know

Thanks