Contact Form PHP - Can I do better?

keithwjones

I am using the below code to send me an email from a contact form. It works exactly as I want it to after Kudose gave me advice to change POST to GET.

My question is can I do better or should I add anything else. Can you point me to a tutorial on the subject?

<?php 

$firstname = $_GET['firstname']; 
$lastname = $_GET['lastname']; 
$email = $_GET['email']; 

$sendTo = "myemail@myemail.co.uk"; 
$subject = "Newsletter"; 

$msg_body = "First Name:  $firstname\n"; 
$msg_body .= "Last Name:  $lastname\n"; 
$msg_body .= "E-Mail:  $email\n"; 

$header_info = "From: ".$firstname." <".$email.">"; 

mail($sendTo, $subject, $msg_body, $header_info); 

echo "Thank you for signing up to our newsletter.\n";
echo "You can now close this window.\n";

?>

Keith

jgetner

well you can do better and i wouldn't suggest using the $_GET method as it sends it to the url.

using a request[] would be a better way to go.

also you trust to much of the user as your form is highly unsecure and would be easy to use against you.

keithwjones

jgetner;10963070 wrote:
also you trust to much of the user as your form is highly unsecure and would be easy to use against you.

Yes this is what I am after - how do I make it secure?

Keith

Krik

For a even a novice hacker POST and GET are equally in secure. The advantage in POST is that the average user doesn't try something dumb. Like bookmarking the page that has the GET values in the URL. Which in your case will cause the email to be sent, again.

So use Post for the form

<form id="yourid" name="yourname" method="post" action="yourpage.php">

Next you have to validate. For a basic site I do this 2 different ways.

First I validate that the script was submitted from a the exact page have it on. A common attack is to submit from the hackers server. For example if you have a form on http://www.mysite.com/form.php and hacker has this form

<form id="yourid" name="yourname" method="post" action="http://www.mysite.com/form.php">

on his http://www.hackingsite.com/malicious_form.php, what is to stop your site form process the form he submits? Nothing! Unless you do a

if($_SERVER['HTTP_REFERER'] != 'http://www.mysite.com/form.php') {
    die;
}
else {
    // do something with form data
}

Second, the user can manually submit code into your form. You can use built in PHP tools to stop them. [man]htmlspecialchars[/man], [man]htmlentities[/man], [man]mysql_real_escape_string[/man], as well as many other methods, will disable the code that any malicious user may try to submit.

Both these methods work real well together to inhibit most malicious users. Do note I said "inhibit" and "most" as there will always be some who are able to find ways around your basic security. But they would need a very big incentive to be willing to try and hack your site or email.

bradgrafelman

Krik;10963091 wrote:
what is to stop your site form process the form he submits? Nothing! Unless you do a
if($_SERVER['HTTP_REFERER'] != 'http://www.mysite.com/form.php') {
    die;
}
else {
    // do something with form data
}

Couple of problems I have with that:

Again, even a "novice hacker" can easily alter the referrer value in the headers.
The 'Referer' header isn't mandatory and can even be stripped by some proxies/gateways, so relying on it on any website is, IMHO, a very poor design.

nevvermind

OP, have a look at this: link.

keithwjones

Thanks for the replies - keep them coming.

I get the message - I've taken it down until I understand it.

Keith

id_ivan

I used to generated unique $_SESSION for each submitted form just in case user mistakenly send it twice or send it from wrong domain.