Support Forums Categories Webmaster Support Website Development
is my html form secure?

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
is my html form secure?
andrewjs18 Offline
Regular Member
***
Posts: 113
Threads: 38
Joined: Oct 2009
Reputation: 1
#1
02-27-2010, 06:35 PM (This post was last modified: 02-27-2010, 06:35 PM by andrewjs18.)
I want to make sure my html form is secure (if it's even possible) to prevent any information from being stolen, so please review my html form code and I'll also post up my form processor.


xhtml:
Code:
<form name="contact" enctype="multipart/form-data" action="contact.php" method="post" onsubmit="return validate_fields(this)">
<ul>
<li>Name:<br />
<input type="text" size="30" name="name" id="name" /></li>
<li><br /></li>
<li>Email:<br />
<input type="text" size="30" name="email" id="email" /></li>
<li><br /></li>
<li>Problem:<br />

<select name="problem">
<option value="website">Website Problem</option>
<option value="forum">Forum Problem</option>
<option value="misc">Miscellaneous</option>
</select></li>
<li><br /></li>
<li>Comments:<br />
<textarea name="comments" id="comments" rows="5" cols="45"></textarea></li>
<li><br /></li>
<li><input type="submit" name="submit" value="Submit" />
&nbsp;
<input type="reset" name="reset" value="Reset" /></li>

</ul>
</form>
[/html]

php:
Code:
<?php

$name = $_POST["name"];
$email = $_POST["email"];
$problem = $_POST["problem"];
$comments = $_POST["comments"];

$address_to = "removed for privacy";
$address_from = "removed for privacy";
$email_subject_line = $name . "'s form";

$email_text = "Name? " . $name .
"\nEmail? " . $email .
"\nProblem? " . $problem .
"\nComments? " . $comments;

mail($address_to, $email_subject_line, $email_text, $address_from);

?>
Website Find
Reply
Omniscient Offline
Win By Attrition
*******
Administrators
Posts: 1,778
Threads: 163
Joined: Jun 2007
Reputation: 218
#2
02-27-2010, 06:41 PM
Not secure at all. Easily used to spam email. You have to cleanse the input.
Superman I am here to rescue you.
This is Support Forums not Support PMs.  Do not PM me for support unless it's private and site related.
Website Find
Reply
Foresight Offline
☆We help each other☆
****
Posts: 300
Threads: 22
Joined: Feb 2010
Reputation: 0
#3
03-05-2010, 08:38 PM
Yeah, like Omni said, this isn't secure in any way, shape, or form.
[Image: b7yj2x.png]
Find
Reply
MattR Offline
MyBB Support Team Lead
***
Posts: 148
Threads: 4
Joined: Oct 2009
Reputation: 8
#4
03-06-2010, 06:55 AM
At the very least use htmlspecialchars() around the $_POST variables, if this was going to a database you'd be in trouble. Look at the second code block here: http://wwww.w3schools.com/php/php_secure_mail.asp
MyBB Support Team Lead
Website Find
Reply
andrewjs18 Offline
Regular Member
***
Posts: 113
Threads: 38
Joined: Oct 2009
Reputation: 1
#5
03-08-2010, 11:00 PM
(03-06-2010, 06:55 AM)MattR Wrote: At the very least use htmlspecialchars() around the $_POST variables, if this was going to a database you'd be in trouble. Look at the second code block here: http://wwww.w3schools.com/php/php_secure_mail.asp

how's this look now?

Code:
<?php
$name = htmlspecialchars($_POST['yourname']);
$email    = htmlspecialchars($_POST['email']);
$problem   = htmlspecialchars($_POST['problem']);
$comments = htmlspecialchars($_POST['comments']);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Contact the PAZRT- Pennsylvania Zombie Response Team</title>
<meta http-equiv="Content-Language" content="en-us" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="author" content="Pennsylvania Zombie Response Team" />
<meta name="copyright" content='All Copyright Pennsylvania Zombie Response Team, all rights reserved' />
<meta name="description" content="PAZRT- Pennsylvania Zombie Response Team is an elite group of people dedicated to the preservation of the human race in the face of a looming zombie outbreak" />
<meta name="keywords" content="pazrt, zrt, pennsylvania zombie response team, pennsylvania zrt, zombies, zombie response team, guns, knives, survival" />
<link href="layout.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="validation.js"></script>
</head>
<body>
<!-- This is the main div -->
<div id="wrapper">
<!-- Start logo coding -->
<div id="logo">
<img src="images/logo.png" alt="main logo" height="168px" style="width: 100%" />
</div>
<!-- Start navigation bar coding -->
<div id="navigation">
<ul>
<li><a href="index.html">Home</a></li>
<li><a href="about-pennsylvania-zombie-response-team">About Us</a></li>
<li><a href="http://www.pazrt.com/forum">Forums</a></li>
<li><a href="http://www.pazrt.com/gallery/main.php">Gallery</a></li>
<li><a href="http://wiki.pazrt.com">Wiki</a></li>
<li><a href="http://www.pazrt.com/forum/usermap.php">Member Map</a></li>
<li><a href="#">Social<!--[if gte IE 7]><!--></a><!--<![endif]-->
<!--[if lte IE 6]><table><tr><td><![endif]-->
<ul>
<li><a href="http://www.twitter.com/pazrt">Twitter</a></li>
<li><a href="http://www.facebook.com/pages/Pennsylvania-Zombie-Response-Team/10150095905020602">Facebook</a></li>
<li><a href="http://www.youtube.com/pazrt">Youtube</a></li>
</ul>
<!-- End Links drop-down menu -->
<!--[if lte IE 6]></td></tr></table></a><![endif]-->
</li>
<li class="selected"><a href="contact-pennsylvania-zombie-response-team">Contact Us</a></li>
</ul>
</div>
<!-- Start contact content coding -->
<div id="contact">
<img src="images/leftlogo.png" alt="left logo" width="440px" style="float: left" />
<form name="contact" enctype="multipart/form-data" action="contact.php" method="post" onsubmit="return validate_fields(this)">
<ul>
<li>Name:<?php echo $yourname; ?><br />
<input type="text" size="30" name="name" id="name" /></li>
<li><br /></li>
<li>Email:<?php echo $email; ?><br />
<input type="text" size="30" name="email" id="email" /></li>
<li><br /></li>
<li>Problem:<?php echo $problem; ?><br />
<select name="problem">
<option value="website">Website Problem</option>
<option value="forum">Forum Problem</option>
<option value="misc">Miscellaneous</option>
</select></li>
<li><br /></li>
<li>Comments:<?php echo $comments; ?><br />
<textarea name="comments" id="comments" rows="5" cols="45"></textarea></li>
<li><br /></li>
<li><input type="submit" name="submit" value="Submit" />
&nbsp;
<input type="reset" name="reset" value="Reset" /></li>
</ul>
</form>

</div>
<!-- Start footer coding -->
<div id="footer">
<img src="images/footer.png" alt="footer logo" width="1000px" />
<a href="index.html">Home</a> | <a href="about-pennsylvania-zombie-response-team">About Us</a> | <a href="contact-pennsylvania-zombie-response-team">Contact Us</a><br /><p style="color: #FFF">Site by-<a href="http://www.webfinitydesign.com">Webfinity Design</a></p>
</div>
</div>
<script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script>
<script type="text/javascript">try { var pageTracker = _gat._getTracker("UA-10934935-1"); pageTracker._trackPageview(); } catch(err) {}</script>
</body>
</html>
Website Find
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Contact form for HTML Crystal 36 10,868 05-24-2013, 05:51 PM
Last Post: Akai
  Helping with HTML and CSS Ambitious 0 689 08-28-2011, 01:18 PM
Last Post: Ambitious
  [TUT] Contact Form using HTML/PHP Captain Straight Edge 29 7,079 08-17-2011, 09:49 AM
Last Post: -Infectious
  Anyone have any free HTML resources? Scalise 7 1,742 06-01-2011, 04:00 AM
Last Post: !LoL
  Mr. Doob :: HTML 5 Examples Gaijin 10 2,553 02-17-2011, 12:33 AM
Last Post: Gaijin

Forum Jump:


Users browsing this thread: 1 Guest(s)