Securing a contact form script

2019-03-03 22:48发布

站内问答 / PHP
1686 2 4

Hello! I am just wondering how secure is this contactform script I just made? My teacher was nagging at me a long time ago when I made my contactforms.

if($_SERVER['REQUEST_METHOD'] === 'POST'){

    $myemail  =    "email@adress.com";
    $name      =    $_POST['name'];
    $email    =    $_POST['email'];
    $phone    =    $_POST['phone'];
    $subject  =    $_POST['subject'];
    $comments =    $_POST['comments'];

   if($name == 0 || !preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email) || !preg_match("/^\d{2}(-\d{3}){2}(\d{2})?$/", $phone) || $subject == 0 || $comments == 0){

       $error_message = 'Something was written wrong..';

   } else {

       $message = "Hello!
       Your contact form has been submitted by:
       Name: $name
       E-mail: $email
       Phone: $phone
       Comments: $comments
       End of message";
       mail($myemail, $subject, $message);
       $error_message = 'Your message was sent!';

    }
}

Any suggestions of how to make it secure?

P.S. Securing a Contact Form and Securing a php contact form are both for WordPress and that's not what I am out for.

2条回答
冷血范
2楼-- · 2019-03-03 23:22

There is nothing insecure in your code really beside lack of data validation. You just collect form data and send it out. so the only 'insecurity' is that you would be easily spammed through that form unless any sort of captcha is used. I am not sure at the moment, but it may be possible to trick mail() to add more receipients with crafted $subject, so it would be save to ensure it's oneliner and strip any CRLFs

查看更多
0人赞 添加讨论(0) 举报
Luminary・发光体
3楼-- · 2019-03-03 23:36

You can use a function to validate the entries such as :

function check_input($data)
 {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
 }

And

    

        $name      =    check_input($_POST['name']);
        $email    =    check_input($_POST['email']);
        $phone    =    check_input($_POST['phone']);
        $subject  =    check_input($_POST['subject']);
        $comments =    check_input($_POST['comments']);

And

     if ($name && $email && $phone && $subject && $comments) {
         Send contact form...

}

and of course you can add captcha to make it more secure.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)