Hello! I am just wondering how secure is this contactform script I just made? My teacher was nagging at me a long time ago when I made my contactforms.
if($_SERVER['REQUEST_METHOD'] === 'POST'){
$myemail = "email@adress.com";
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$subject = $_POST['subject'];
$comments = $_POST['comments'];
if($name == 0 || !preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email) || !preg_match("/^\d{2}(-\d{3}){2}(\d{2})?$/", $phone) || $subject == 0 || $comments == 0){
$error_message = 'Something was written wrong..';
} else {
$message = "Hello!
Your contact form has been submitted by:
Name: $name
E-mail: $email
Phone: $phone
Comments: $comments
End of message";
mail($myemail, $subject, $message);
$error_message = 'Your message was sent!';
}
}
Any suggestions of how to make it secure?
P.S. Securing a Contact Form and Securing a php contact form are both for WordPress and that's not what I am out for.
You can use a function to validate the entries such as :
function check_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
And
$name = check_input($_POST['name']);
$email = check_input($_POST['email']);
$phone = check_input($_POST['phone']);
$subject = check_input($_POST['subject']);
$comments = check_input($_POST['comments']);
And
if ($name && $email && $phone && $subject && $comments) {
Send contact form...
}
and of course you can add captcha to make it more secure.
There is nothing insecure in your code really beside lack of data validation. You just collect form data and send it out. so the only 'insecurity' is that you would be easily spammed through that form unless any sort of captcha is used. I am not sure at the moment, but it may be possible to trick mail() to add more receipients with crafted $subject, so it would be save to ensure it's oneliner and strip any CRLFs
来源:https://stackoverflow.com/questions/12079947/securing-a-contact-form-script