0

I have an contact mail form on my website and i want to make this form secure enough. Which is the best way to to this job, is there any way to hide php variables that i sent with post to another page.

Any sample or link or idea ?

Secure - i mean my data to be safe, since users will be inserting their personal data, like passport number, ssn ect, and want those data to be safe in some way. I have read somewhere that with some injections there are peoples who can take those data sent by form. I think i am clear now ?

Improve this question
11
  • 1
    What is "secure"? It could mean many things. Commented Jul 13, 2010 at 18:12
  • 3
    @theatrus: no, the question is: what is "enough"? Commented Jul 13, 2010 at 18:15
  • Secure in what aspect? And what “PHP variables” do you want to send? Commented Jul 13, 2010 at 18:16
  • 4
    Securing of that kind can really only be achieved by using an SSL certificate to encrypt the exchange of posted data and protect it from any eavesdropping. Though you said this was a mail form - I definitely would not plan on transmitting anyones SSN in email if that's the intention, since email itself is an unsecured medium. Commented Jul 13, 2010 at 18:23
  • 3
    If you're dealing with sensitive user data, like passport or credit card numbers, hire a competent developer who knows some basic security. I'd be very worried if I thought a system which handled this data was written by someone who doesn't know what HTTPS is. Commented Jul 13, 2010 at 19:09

5 Answers 5

Reset to default
7

Why hasn't anyone mentioned HTTPS?

Just make your form gets submitted using the HTTPS protocol, and all of the data is transparently encrypted (this means you don't need to do anything to decrypt it in PHP, it just works)

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

how to make my form to be submitet using the https protocol. And how will those date be decrypted to the email u want to sent them?
You need to have an SSL certificate installed on your server and activated with your registrar. You can then make all elements within the form page (including the form's own action attribute) use https:// to open a HTTPS connection. This will encrypt the communication between the client and the server. Emailing SSN numbers or very sensitive personal information from PHP is still a bad idea however.
It's not possible to send encrypted emails without requiring the recipient to decrypt them (by themselves or using a special client). Actually here's a related question: stackoverflow.com/questions/3146847/… . Regardless, you definitely should not email SSN or other sensitive information in plaintext.
3

Use HTML Purifier or OWASP.

HTML Purifier

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist

OWASP

The Open Web Application Security Project (OWASP) is the name for all the activities of the OWASP Foundation.

Improve this answer

6 Comments

You should elaborate on that.
@Gumbo: I thought links were sufficient. Added anyways :)
@Gumbo The problem is the question is vague. HTML Purifier may not be appropriate, OWASP's recommendations may also have nothing to do with the question. And yet may. This answer is of course a shot in the dark.
@Artefacto: Agreed question isn't that clear but is speaks about security so I posted some possible solutions about the security. I would have been more specific if the question was a bit clearer.
@sAc: No, just posting links is absolutely not sufficient. You should add some information on what can be found when following these links. Something like: “If you want to allow (some) HTML, use HTML Purifier. And for general recommendations on security in web applications, see OWASP.”
|
0

You should:

  • Require your users to apply a captcha (or sign in), to make it harder for bots to use your mail form.
  • Sent mail to predefined adresses only (if possible).
  • Accept POST only (no GET), to prevent CSRF.
  • Disallow HTML in your Mails.
Improve this answer

Comments

0

HTTPS protocol is the best solution. For Spamer protection you can use captcha. If you are passing variable from one server to another you can make it more protected using encryption.

Improve this answer

Comments

0

If by secure, you mean relatively protected from spammers, one good thing to do among many others is to have an email input field for the end user to put their reply-to that actually enforces valid MX entires.

     function isValidEmail($email){

       $pattern = '/^([a-z0-9])(([-a-z0-9._])*([a-z0-9]))*
\@([a-z0-9])*(\.([a-z0-9])([-a-z0-9_-])([a-z0-9])+)*$/i';

    if(!preg_match ($pattern, $email)){return false;}



        list($user_name, $mail_domain) = explode("@",$email); // Split email address into username and domain name

        if (checkdnsrr($mail_domain, "MX")) return true;

        return false; // Invalid email address
        }

Certainly not a comprehensive solution, but it does help a great deal to cut out automated submissions.

Improve this answer

2 Comments

Because that's not a very good way of checking for valid email addresses. A regex would be a better solution. PS: I am not the one who downvoted it, but I believe that would be the reason why they did it.
I could agree there - didn't actually catch that when I copied my older file - the ones I use now has filter_var($email, FILTER_VALIDATE_EMAIL)) followed by the domain check. The mx part was what I was trying to emphasize and I forgot to even check the first half in the older code.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.