Support Forums

Full Version: is my html form secure?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I want to make sure my html form is secure (if it's even possible) to prevent any information from being stolen, so please review my html form code and I'll also post up my form processor.


xhtml:
Code:
<form name="contact" enctype="multipart/form-data" action="contact.php" method="post" onsubmit="return validate_fields(this)">
<ul>
<li>Name:<br />
<input type="text" size="30" name="name" id="name" /></li>
<li><br /></li>
<li>Email:<br />
<input type="text" size="30" name="email" id="email" /></li>
<li><br /></li>
<li>Problem:<br />

<select name="problem">
<option value="website">Website Problem</option>
<option value="forum">Forum Problem</option>
<option value="misc">Miscellaneous</option>
</select></li>
<li><br /></li>
<li>Comments:<br />
<textarea name="comments" id="comments" rows="5" cols="45"></textarea></li>
<li><br /></li>
<li><input type="submit" name="submit" value="Submit" />
&nbsp;
<input type="reset" name="reset" value="Reset" /></li>

</ul>
</form>
[/html]

php:
Code:
<?php

$name = $_POST["name"];
$email = $_POST["email"];
$problem = $_POST["problem"];
$comments = $_POST["comments"];

$address_to = "removed for privacy";
$address_from = "removed for privacy";
$email_subject_line = $name . "'s form";

$email_text = "Name? " . $name .
"\nEmail? " . $email .
"\nProblem? " . $problem .
"\nComments? " . $comments;

mail($address_to, $email_subject_line, $email_text, $address_from);

?>
Not secure at all. Easily used to spam email. You have to cleanse the input.
Yeah, like Omni said, this isn't secure in any way, shape, or form.
At the very least use htmlspecialchars() around the $_POST variables, if this was going to a database you'd be in trouble. Look at the second code block here: http://wwww.w3schools.com/php/php_secure_mail.asp
(03-06-2010, 06:55 AM)MattR Wrote: [ -> ]At the very least use htmlspecialchars() around the $_POST variables, if this was going to a database you'd be in trouble. Look at the second code block here: http://wwww.w3schools.com/php/php_secure_mail.asp

how's this look now?

Code:
<?php
$name = htmlspecialchars($_POST['yourname']);
$email    = htmlspecialchars($_POST['email']);
$problem   = htmlspecialchars($_POST['problem']);
$comments = htmlspecialchars($_POST['comments']);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Contact the PAZRT- Pennsylvania Zombie Response Team</title>
<meta http-equiv="Content-Language" content="en-us" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="author" content="Pennsylvania Zombie Response Team" />
<meta name="copyright" content='All Copyright Pennsylvania Zombie Response Team, all rights reserved' />
<meta name="description" content="PAZRT- Pennsylvania Zombie Response Team is an elite group of people dedicated to the preservation of the human race in the face of a looming zombie outbreak" />
<meta name="keywords" content="pazrt, zrt, pennsylvania zombie response team, pennsylvania zrt, zombies, zombie response team, guns, knives, survival" />
<link href="layout.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="validation.js"></script>
</head>
<body>
<!-- This is the main div -->
<div id="wrapper">
<!-- Start logo coding -->
<div id="logo">
<img src="images/logo.png" alt="main logo" height="168px" style="width: 100%" />
</div>
<!-- Start navigation bar coding -->
<div id="navigation">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="about-pennsylvania-zombie-response-team">About Us</a></li>
<li><a href="http://www.pazrt.com/forum">Forums</a></li>
<li><a href="http://www.pazrt.com/gallery/main.php">Gallery</a></li>
<li><a href="http://wiki.pazrt.com">Wiki</a></li>
<li><a href="http://www.pazrt.com/forum/usermap.php">Member Map</a></li>
<li><a href="#">Social<!--[if gte IE 7]><!--></a><!--<![endif]-->
<!--[if lte IE 6]><table><tr><td><![endif]-->
<ul>
<li><a href="http://www.twitter.com/pazrt">Twitter</a></li>
<li><a href="http://www.facebook.com/pages/Pennsylvania-Zombie-Response-Team/10150095905020602">Facebook</a></li>
<li><a href="http://www.youtube.com/pazrt">Youtube</a></li>
</ul>
<!-- End Links drop-down menu -->
<!--[if lte IE 6]></td></tr></table></a><![endif]-->
</li>
<li class="selected"><a href="contact-pennsylvania-zombie-response-team">Contact Us</a></li>
</ul>
</div>
<!-- Start contact content coding -->
<div id="contact">
<img src="images/leftlogo.png" alt="left logo" width="440px" style="float: left" />
<form name="contact" enctype="multipart/form-data" action="contact.php" method="post" onsubmit="return validate_fields(this)">
<ul>
<li>Name:<?php echo $yourname; ?><br />
<input type="text" size="30" name="name" id="name" /></li>
<li><br /></li>
<li>Email:<?php echo $email; ?><br />
<input type="text" size="30" name="email" id="email" /></li>
<li><br /></li>
<li>Problem:<?php echo $problem; ?><br />
<select name="problem">
<option value="website">Website Problem</option>
<option value="forum">Forum Problem</option>
<option value="misc">Miscellaneous</option>
</select></li>
<li><br /></li>
<li>Comments:<?php echo $comments; ?><br />
<textarea name="comments" id="comments" rows="5" cols="45"></textarea></li>
<li><br /></li>
<li><input type="submit" name="submit" value="Submit" />
&nbsp;
<input type="reset" name="reset" value="Reset" /></li>
</ul>
</form>

</div>
<!-- Start footer coding -->
<div id="footer">
<img src="images/footer.png" alt="footer logo" width="1000px" />
<a href="index.html">Home</a> | <a href="about-pennsylvania-zombie-response-team">About Us</a> | <a href="contact-pennsylvania-zombie-response-team">Contact Us</a><br /><p style="color: #FFF">Site by-<a href="http://www.webfinitydesign.com">Webfinity Design</a></p>
</div>
</div>
<script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script>
<script type="text/javascript">try { var pageTracker = _gat._getTracker("UA-10934935-1"); pageTracker._trackPageview(); } catch(err) {}</script>
</body>
</html>