Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Making Email Contact Form Secure

  1. #1
    Join Date
    Feb 2010
    Posts
    15
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default Making Email Contact Form Secure

    Hey Guys, How would you make this email contact form secure?

    PHP Code:
    <?php
    $ip 
    getenv("REMOTE_ADDR");
    $subject "$subject";
    $message "$message";

    $mail_from "$email";

    $header "from: $name <$mail_from>";

    $to 'contact@domain.com';

    $send_contact mail($to,$subject,$message,$ip,$header);

    if(
    $send_contact){
    echo 
    "We have received your contact information";
    }
    else {
    echo 
    "Error, Message Wasn't Sent!";
    }
    ?>

    <form name="contact_us" id="contact_us" method="post" action="contact.php">
        <strong>

        <img src="" align="right" border="0">Name</strong> <br>
        <input name="name" id="name" value="" type="text"> <br>
        <br>
        <strong>Email Address</strong> <br>
        <input name="email" id="email" value="" type="text"> <br>
        <br>

        <strong>Subject</strong> <br>
        <select name="subject" id="subject">
            <option>Select One...</option>
            <option>Option 1</option>
            <option>Option 1</option>
            <option>Option 3</option>
        </select> <br>
        <br>

        <strong>Message</strong> <br>
        <textarea name="message" id="message"></textarea>
        <br> <br>
        <input type="submit" value="Send!" name="submit" />
        </form>
    Thanks if anyone can help!!
    Last edited by Lemon; 03-13-2010 at 01:04 AM.

  2. #2
    Join Date
    Feb 2010
    Posts
    15
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default

    anyone?

    urgently need

  3. #3
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Your question is not specific enough.

    What do you mean by secure?

    There are several things you can do, but which do you want:

    1. Use https instead of http so that data sent through the form is sent "securely". That's the traditional meaning of "secure", but I'm not sure if that's what you mean. That's beyond PHP and simply means making your users go to the https URL rather than http (you can use a redirect for this), and of course making sure that your server is setup for it.

    2. Limit what sort of data can be sent through the form, such as verifying that the email address is valid and thus "secure".

    3. Using some sort of verification that the submission is "real", so verifying using user accounts, IP address, or, most likely, a CAPTCHA-- one of those "type the following letters" images so that automated submissions are not possible.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  4. #4
    Join Date
    Feb 2010
    Posts
    15
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default

    Like would you be able to make it so:

    - All the fields have to be filled in
    - So people cant inject it
    - So it sends ip addresses with the email

    and yeh verifying the email.

    Thanks heaps if you can help!

  5. #5
    Join Date
    Feb 2010
    Posts
    15
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default

    Anyone?

  6. #6
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    What you have above is basically the skeleton of an email form-- everything you need is there, but only at a very basic level. Adding all of what you want is possible, but it might be faster to find one that already exists, though it's possible to add it above-- it will just actually be more code than what you already have to add all of that.

    1. Verifying that all fields must be filled in is very complex (in amount, not difficulty, really).
    Here are the steps:
    1) Upon submission, check against your "verify" function and if it passes, send it. If not, display errors above the data and output the input back into the fields:
    if (verifyform()) { //it's ok }
    else { //display form
    //display various errors -- best if you stored them to a variable in the verifyform() function
    <input type="text" name="X" value="<?php echo $_POST['X']; ?>">
    (That's a rough outline of the method, though it will be more complex often.)
    2) Make a function "verifyform()" that checks the input data. Just go through each field in a set of checks to be sure it's all valid, in whatever way you want.
    I suggest that for each if there is an error you add an "error" to the array $errors.
    if (strlen($_POST['X'])>1000) { $errors[] = 'X is too long.'; }
    Do a list of checks like that for every input field (at least all of the fields you require).
    At the end of this function, if $errors has any errors in it, return false and that will then tell your script to NOT send the email and instead print the errors (see (1) above).
    Of course if it is correct then you can continue as before.


    2. What do you mean inject? Using the method described above you can verify that all of the data is correct-- not too long, not too short, doesn't have odd characters, is set, isn't set, is a specific value (like a CAPTCHA), or anything you'd like.
    If you mean "inject" as in force it to send to a specific email that you don't want, then simply don't allow the user to submit an email-- store that IN the PHP, not as part of the form, and it will be secure.
    "Injection" is usually used to refer to forcing dangerous code into a database such as adding "DELETE DATABASE;" to the end of a query-- this isn't a concern unless you're using a database, etc.
    The way around that type of injection is to escape the characters (convert any dangerous characters into a nondangerous form), such as with default functions like mysql_real_escape_string($string).


    3. That's easy-- $ip = $_SERVER['REMOTE_ADDR'];
    Then just submit $ip as part of the message body. In theory (though I don't recommend it) you could even just add this to the post array:
    $_POST['ip'] = $_SERVER['REMOTE_ADDR'];
    Then it would be as if the user had submitted it, and they couldn't fake the IP because it would be saved to $_POST after the submission was received.


    4. Verifying the email: verify what about it? Search google for "php valid email regex" and you'll see some examples of that, or you can compare it to a list of "OK" emails, etc. Use the same method as in (1) above.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  7. #7
    Join Date
    Apr 2009
    Location
    Mac OSX
    Posts
    14
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Default

    example if the user is in a proxy.. how will php expose the real IP of the user??

  8. #8
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Why are you asking a new question in this thread?
    But I'll answer your question simply: You cannot. This is not a question for PHP at least. A proxy forwards requests through the proxy server. Therefore the user is NOT requesting pages from your server-- the user is requesting that the PROXY SERVER REQUEST pages from your server. The "real IP" of the request IS the proxy server.

    The only way to get around this would be to run something directly to the user, such as using a flash object to stream music directly to their computer, but that could/would get very complex and unreliable. On a very good proxy, it might be able to forward even that.

    Regardless, this has nothing to do with PHP.

    The only method you would be able to attempt (though it would not accomplish much) is that you could monitor incoming IP requests and see if any are known proxies, but that would only reveal that the user is going through a proxy, not their actual IP.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  9. #9
    Join Date
    Feb 2010
    Posts
    15
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Default

    Thanks Djr!
    But um how would you ajax page that and make that into one doc? like..
    (Made the part bold)

    contact.php
    Code:
    <form name="contact_us" id="contact_us" method="post" action="javascript:ajaxPage('contact.php', 'content');">
        <strong>
    
        <img src="" align="right" border="0">Name</strong> <br>
        <input name="name" id="name" value="" type="text"> <br>
        <br>
        <strong>Email Address</strong> <br>
        <input name="visitormail" id="visitormail" value="" type="text"> <br>
        <br>
    
        <strong>Subject</strong> <br>
        <select name="subject" id="subject">
            <option>Select One...</option>
            <option>Option 1</option>
            <option>Option 1</option>
            <option>Option 3</option>
        </select> <br>
        <br>
    
        <strong>Message</strong> <br>
        <textarea name="message" id="message"></textarea>
        <br> <br>
        <input type="submit" value="Send!" name="submit" />
        </form>

    Put this code into the contact.php document instead of having contact.php and sendemail.php, so there is just contact.php
    sendemail.php
    Code:
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Sendemail Script</title>
    </head>
    <body>
    
    <?php
    
    $ip = $_SERVER['REMOTE_ADDR'];
    $httprefi = getenv ("HTTP_REFERER");
    $httpagenti = getenv ("HTTP_USER_AGENT");
    $name = $_POST['name'];
    $visitormail = $_POST['visitormail'];
    $message = $_POST['message'];
    $subject = $_POST['subject'];
    
    
    if (eregi('http:', $message)) {
    die ("Do NOT try that! ! ");
    }
    if(!$visitormail == "" && (!strstr($visitormail,"@") || !strstr($visitormail,".")))
    {
    echo "<h2>Use Back - Enter valid e-mail</h2>\n";
    $badinput = "<h2>Feedback was NOT submitted</h2>\n";
    echo $badinput;
    die ("Go back! ! ");
    }
    
    if(empty($name) || empty($visitormail) || empty($message )) {
    echo "<h2>Use Back - fill in all fields</h2>\n";
    die ("Use back! ! ");
    }
    
    $todayis = date("l, F j, Y, g:i a") ;
    
    $subject = $subject ;
    $subject = $subject;
    
    $message = stripcslashes($message);
    
    $message = "
    From: $name ($visitormail)\n
    Message: $message \n
    IP : $ip \n
    ";
    
    $from = "From: $visitormail\r\n";
    
    
    mail("mail@mail.com", $subject, $message, $from);
    
    ?>
    </body>
    </html>

  10. #10
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    1. Because PHP can use conditional ("if") statements, you can include as many "pages" as you want in a single page. For example:
    page.php?var=a and page.php?var=b
    <?php if ($_GET['var']=='a') { echo 'hello'; } else { echo 'bye'; } ?>

    So you can decide what to do from a variety of methods of input, though most common is from get variables like you see in that example.

    If you want two pages in one, you can always just enclose the entire "page" in an if statement and an else statement for the other "page".

    In this case you can base that on whether or not something was submitted (if isset($_POST['myfield']) , for example).


    2. Using Ajax is another level on top of all of this. I suppose it's possible, but I'd recommend against it for a few reasons. The main one is that not everyone uses Ajax so you'd have to have a backup anyway (to make it secure, if not just for accessibility).
    In theory you could use all of the same methods, but just use Ajax to access them. That's quite advanced, though, so I'd suggest making everything else complete and then maybe thinking about Ajax, or probably not even using it at all.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •