Menu
Given a contact form that accepts custom user input (e.g. address, subject line, message), what are some security implications and "gotchas" to be careful of?
At a minimum, the user's email address will have to be validated (likely using filter_var() or equivalent). From what I've read, this should also prevent additional headers from being injected into the script.
What about the subject line and message content though? Is any sanitation required for those fields? I figure an email client would prevent things like scripts from running automatically, and I'm not particularly worried about things like HTML tags (if someone wants to spend the time to style an email by hand, that's their prerogative - I just won't be seeing it :P). If sanitation is required, what's the best way of doing it without being too intrusive (i.e. keeping the nature of the email the same)?
395
PHP makes use of mail() function to send an email. This function requires three mandatory arguments that specify the recipient's email address, the subject of the the message and the actual message additionally there are other two optional parameters.
check with your host, many have disabled the mail() function for anti-spam purposes you might need to use smtp instead. The script looks ok. Also the sucess message suggest is a configuration problem... check your configuration... also check the configuration on the receiving server.
Make sure the localhost mail server is configuredWithout one, PHP cannot send mail by default. You can overcome this by installing a basic mail server. For Windows you can use the free Mercury Mail. You can also use SMTP to send your emails.
to check if it is sending mail as intended; <? php $email = "[email protected]"; $subject = "Email Test"; $message = "this is a mail testing email function on server"; $sendMail = mail($email, $subject, $message); if($sendMail) { echo "Email Sent Successfully"; } else { echo "Mail Failed"; } ?>
If you are using the fourth argument, the optional headers, watch for inserting of extra headers, if you are doing something like this...
mail($to, $subject, $message, 'From: $email');
If $email comes from user input and is not sanitized, a user could enter something like...
\n\rCC:[email protected]
You can avoid this by filtering out \n and \r, or validating $email using the filter_var($email, FILTER_VALIDATE_EMAIL) function.
100
Ensure that people cannot inject linebreaks in anything but the body. Additionally make the recipient static and never pass it e.g. through a hidden form field. However, adding such a field is not a bad idea; but block the IP if it's not set to the expected value - then your client is probably a spam bot.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
