[Phpwm] Securing feedback forms

Phil Beynon phil at infolinkelectronics.co.uk
Tue Oct 31 16:07:26 GMT 2006


> Hi all,
>
> I've got a few sites that have a simple feedback form to allow
> visitors to
> send feedback to a hard-coded recipient. I thought the form was
> secure such
> that spammers couldn't use it to send spam, but it seems I was
> wrong. Only
> one spam actually got sent (and it bounced) but a spammer has
> evidently found
> a way to insert arbitrary headers into the mails my form is
> generating (BCC
> etc.).
>
> My current code is here:
> http://pastebin.co.uk/4915
>
> (btw, what happened to the PHPWM pastebin?)
>
> I'm intending to add addslashes() to it, but apart from that is
> there anything
> else I can/should do to sanitise input?
>
> TIA,
> David.

David,
Firstly stick all possible input variables through a regex to make it so
there can only be a maximum of one email address in the input, look at the
incoming IP address from the headers and if they have failed the above then
disallow and future sends for a day or so - you can do that with a small
MySQL blacklist table.
If your system allows cc / bcc then unset() those variables in your code.
I have a regex that works on all known email addresses if you require it.

Phil




More information about the Phpwm mailing list