CODEWITHSUNDEEP
phpformssecurity
AXheladini
AXheladini

Reputation: 1826

PHP secure form

I have an contact mail form on my website and i want to make this form secure enough. Which is the best way to to this job, is there any way to hide php variables that i sent with post to another page.

Any sample or link or idea ?

Secure - i mean my data to be safe, since users will be inserting their personal data, like passport number, ssn ect, and want those data to be safe in some way. I have read somewhere that with some injections there are peoples who can take those data sent by form. I think i am clear now ?

Upvotes: 0

Views: 547

Answers (5)

Mark Grey
Mark Grey

Reputation: 10257

If by secure, you mean relatively protected from spammers, one good thing to do among many others is to have an email input field for the end user to put their reply-to that actually enforces valid MX entires.

     function isValidEmail($email){

       $pattern = '/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*
\@([a-z0-9])*(\.([a-z0-9])([-a-z0-9_-])([a-z0-9])+)*$/i';

    if(!preg_match ($pattern, $email)){return false;}



        list($user_name, $mail_domain) = explode("@",$email); // Split email address into username and domain name

        if (checkdnsrr($mail_domain, "MX")) return true;

        return false; // Invalid email address
        }

Certainly not a comprehensive solution, but it does help a great deal to cut out automated submissions.

Upvotes: 0

Developer
Developer

Reputation: 26173

HTTPS protocol is the best solution. For Spamer protection you can use captcha. If you are passing variable from one server to another you can make it more protected using encryption.

Upvotes: 0

Jani Hartikainen
Jani Hartikainen

Reputation: 43243

Why hasn't anyone mentioned HTTPS?

Just make your form gets submitted using the HTTPS protocol, and all of the data is transparently encrypted (this means you don't need to do anything to decrypt it in PHP, it just works)

Upvotes: 7

JochenJung
JochenJung

Reputation: 7213

You should:

  • Require your users to apply a captcha (or sign in), to make it harder for bots to use your mail form.
  • Sent mail to predefined adresses only (if possible).
  • Accept POST only (no GET), to prevent CSRF.
  • Disallow HTML in your Mails.

Upvotes: 0

Sarfraz
Sarfraz

Reputation: 382626

Use HTML Purifier or OWASP.

HTML Purifier

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist

OWASP

The Open Web Application Security Project (OWASP) is the name for all the activities of the OWASP Foundation.

Upvotes: 3

Related Questions