How to secure this form?

daddymac

Hello everyone. I am far from a PRO with PHP(Still learning) and was wondering if anyone could tell me how to secure this form. I want it secure so spammers do not abuse it.

Below is what I have done up so far:

<?php

if (isset($_POST['submit'])){

$to="".$_POST['friendemail']."";

$subject="".$_POST['yourname']." thought you might like this forum!";

$mail_from="from: ".$_POST['youremail']." \n";

$mail_from .="Content-Type: text/html; charset=utf-8 \n";

$message="<font size=\"2\" face=\"Verdana\"> <b>".$_POST['friendemail']."</b>,<br />
".$_POST['yourname']." wants you to check out this forum!!:<br />

<a href=\"http://www.yoursite.com\">Site Title</a> </font>";

$sentmail = mail($to,$subject,$message,$mail_from);

echo "Your email has been sent!";


}else{

?>

<form action="" method="post">
Your Name:<br />
<input type="input" name="yourname" /><br />
Your Email:<br />
<input type="input" name="youremail" /><br />
Friend name:<br />
<input type="input" name="friendname" /><br />
Friend email:<br />
<input type="input" name="friendemail" /><br /><br />

<input type="submit" name="submit" value="Tell A Friend" />
</form>

<?php } ?>

Any ideas or feedback would be appreciated.

Thanks

Horizon88

I'd recommend checking on something other than the submit value, as that means they could submit an empty form and break your form processor. You may also want to look into session tokens and such, but that may be a bit more than what you need. Never hurts to look into it, though. There's a decent tutorial on some PHP security stuff at http://php.robm.me.uk/

zzlong

CAPTCHA is the standard way to stop spammers. If you are using a CMS all you need to do is probably just to install / enable the CAPTCHA module.

If you code it all by yourself you may try reCAPTCHA. It is a free online CAPTCHA service. All you need to do is to include a php script and add a few line of codes.

I also suggest you validate and escape user submitted data before passing them to mail(). There are a lot of ways: client-side validation, server-side validation, referer checking, etc.

schwim

There's been a lot of discussion on this topic(Example). I'm working on using hidden values and timed submissions, which is working well. Although it is sometimes necessary, I view CAPTCHA as a last resort.

thanks,
json

zzlong

I am not sure whether I missed anything, but how hidden values and timed submission distinguish human from robot as captcha does? 😕

schwim

Actually you missed quite a bit, which was in the thread I posted, IIRC.

Those two would block the bots that posted straight to your processor without ever visiting the form page.

I'm currently working on a css based hidden form element which will help weed out the bots that do visit the form page, but can not determine that the bogus field is supposed to stay empty.

There's been quite a bit of pretty cool discussion on the topic here in the last month or so, in regards to alternatives to the CAPTCHA.

thanks,
json

zzlong

Robots are far more smart than you expect today. I have a forum that requires email confirmation (in addition to several pages to input personal data, some of the pages have random cookie variables) for user registration and still gets hundreds of new users each day. Only after I added captcha the problem was resolved.

schwim

Hi there zzlong,

They are not smarter than I expect. Spamming is big business, and people go to great lengths to make your penis larger....

However, I also know that they are not going to custom tailor their script for my piddly site, so if I have a safeguard that most don't, then I am more likely to be spared the mail.

My spam problem was completely resolved without the CAPTCHA. I'm not saying this would be the case on a large scale site. I get far less hits and their rewards are smaller on my site. But that was my point all along, if you had read the thread I linked to.

I also have a community site that was getting hit. A captcha solved the problem for me, but it wasn't a standard captcha. Just a simple graphic with a scrambled name and the resolutlon explained to the visitor. The spam bots are set up to deal with other systems. I have not had a single attack since I implemented it.

My point was simply that there are other methods that can be tried that can piss people off less than some of the completely ridiculous lengths that people are going to with captcha. I visited two sites today in which I couldn't read the captcha myself. I had to do one twice, and the other I completely gave up on.

I agree that it's currently the only resolution for some sites. But not all and definitely not small traffic sites.

thanks,
json

daddymac

Thanks for the info everyone. It gives me some food for thought. I will play around some more and see what I come up with.

Thanks again for your time.