Jump to content

Secure Contact Script Questions

mriffey

By mriffey
in Scripting Talk

 Share

Recommended Posts

mriffey Explorer

mriffey

Posted
Posted

We've had a lot of issues with people hijacking our contact scripts over the last month or so at various sites. Its not clear to me that captchas are sufficient to keep the slime from doing what they do.

 

On that note, I have 2 questions:

 

1) Can you guys recommend a contact script that in your experience is free of these problems, at least so far?

 

2) If I took these feedback/contact forms (which currently use php mail) and rather than making them email my clients the info the customer entered, instead had the script store the data on a mysql database and then gave my customers an app to retrieve them, would that avoid this problem, or is ANY php script with a text field subject to these issues? Im to the point where Im leery of the customer even getting any of the stored data sent to them via email because of what might be injected into the data via the form.

 

Mark

charle97 Enthusiast

charle97

Posted
Posted (edited)

you'll find an example of how to secure your contact scripts at the bottom of this page about email injection. i do a string length check and "@" check for the contact form fields in my script.

Edited by charle97
TweezerMan Veteran

TweezerMan

Posted
Posted
2) If I took these feedback/contact forms (which currently use php mail) and rather than making them email my clients the info the customer entered, instead had the script store the data on a mysql database and then gave my customers an app to retrieve them, would that avoid this problem, or is ANY php script with a text field subject to these issues? Im to the point where Im leery of the customer even getting any of the stored data sent to them via email because of what might be injected into the data via the form.

The rule you need to remember is that you should never automatically trust data submitted by a user.

 

If you changed your script to store the submitted info in a database instead of e-mailing it back to the user, what you'd be doing is trading one risk for another. Instead of your script needing protection from e-mail header injection, the script would need protection from SQL query injection.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...