[Phpwm] Securing feedback forms
Phil Beynon
phil at infolinkelectronics.co.uk
Wed Nov 1 20:37:53 GMT 2006
> > only from the beginning or end of the string though, not anywhere within
> > it.
> >
>
> Sigh. That'll teach me to read things properly in future...
>
> Thanks for all the suggestions. I'm now doing the following to user input:
> * checking the string length is not greater than the maxlength of
> the text box
> * checking for \n and \r control characters
> * doing addslashes, trim and strip_tags (to stop me receiving
> garbage, rather
> than to increase security)
> * checking for multiple occurrences of '@' in the provided from address
>
> Hopefully that should keep the spammers away for a while, unless
> anyone can
> think of something I've missed. I remember the days when you
> could just stick
> your e-mail address in a mailto: link on your website without fear...
>
> Cheers,
> David.
>
David,
Just do this;
if(!eregi ("^([a-z0-9_]|\\-|\\.)+@(([a-z0-9_]|\\-)+\\.)+[a-z]{2,4}$",
$emaila)) error_alert("Invalid email address");
function error_alert($msg){global $flag; $flag = 1; echo
"<script>alert(\"Error: $msg\");history.go(-1)</script>";}
Where $emaila is the incoming email address. $flag is used to control the
send based upon a successful series of tests, like required fields are
filled etc.
This will strip out anything like a \n \r additional @ signs etc
etc............
If you want to play with it on a live site then goto
http://www.ralphsutcliffeminerals.co.uk/notify.php and have a play and watch
it kick you back, you wont get signed up for the newsletter as its not a
100% live site yet - will be a few days though! :-)
Regular expressions are your friends and a very very powerful tool, learn to
use them!
One good regular expression can replace a heap of individual statements when
correctly done and is way more efficient.
Phil
Phil
More information about the Phpwm
mailing list