I have a short php code to process a simple form. I want to make sure that the code is secure. I think it probably is secure but I am not 100% sure.
I am looking for some feedback so I can be sure the php is not vulnerable to attacks.
Here is the php:
<?php
if(!isset($_POST['submit']))
{
//This page should not be accessed directly. Need to submit the form.
echo "error; you need to submit the form!";
}
$name = $_POST['name'];
$visitor_email = $_POST['email'];
$message = $_POST['message'];
//Validate first
if(empty($name)||empty($visitor_email))
{
echo "Name and email are mandatory!";
exit;
}
if(IsInjected($visitor_email))
{
echo "Bad email value!";
exit;
}
$email_from = 'someemail@some.com';//<== update the email address
$email_subject = "New Form submission";
$email_body = "You have received a new message from the user $name.
".
"Here is the message:
$message".
$to = "someemail@some.com";//<== update the email address
$headers = "From: $email_from
";
$headers .= "Reply-To: $visitor_email
";
//Send the email!
mail($to,$email_subject,$email_body,$headers);
//done. redirect to thank-you page.
header('Location: thank-you.html');
// Function to validate against any email injection attempts
function IsInjected($str)
{
$injections = array('(
+)',
'(+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str))
{
return true;
}
else
{
return false;
}
}
?>
Here's a style that I like to use for forms. I use error collection that stores all errors in an array and only progresses if it is empty.And you should not only try to attempt to stop injection attempts in the email field, you should validate and clean up any data you receive from a user
<?php
if(($_SERVER['REQUEST_METHOD'] !="POST") || !isset($_POST['submit'])){
//This page should not be accessed directly. Need to submit the form.
$errors[]= "error; you need to submit the form!";
}else{
//Strip tags and slashes from the user input
//If these fields are optional we will not produce an error if they're blank
$name = strip_tags(stripslashes($_POST['name']));
$visitor_email = strip_tags(stripslashes($_POST['email']));
$message = strip_tags(stripslashes($_POST['message']));
//Validate firs
if(empty($name)||empty($visitor_email)){
$errors[]= "Name and email are mandatory!";
}
if(empty($errors)){
if(IsInjected($visitor_email)){
errors[]= "Bad email value!";
}
$email_from = 'someemail@some.com';//<== update the email address
$email_subject = "New Form submission";
$email_body = "You have received a new message from the user $name.
"."Here is the message:
$message".
$to = "someemail@some.com";//<== update the email address
$headers = "From: $email_from
";
$headers .= "Reply-To: $visitor_email
";
//Send the email!
if(mail($to,$email_subject,$email_body,$headers)){
//done. redirect to thank-you page.
header('Location: thank-you.html');
}else{
$errors[]="Unable to send email";
}
}
}//End of main block
if(!empty(errors)){
//Display errors to user
}
// Function to validate against any email injection attempts
function IsInjected($str){
$injections = array('(
+)',
'(+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str)){
return true;
}else{
return false;
}
}
?>